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ABSTRACT 

Program  synthesis  is  the  automated  derivation  of  a  computer  program  from  a  given  specifi¬ 
cation.  In  the  deductive  approach,  the  synthesis  of  a  program  is  regarded  as  a  theorem-proving 
problem;  the  desired  program  is  constructed  as  a  by-product  of  the  proof.  This  paper  presents 
a  formal  deduction  system  for  program  synthesis,  with  special  features  for  handling  equality,  the 
equivalence  connective,  and  ordering  relations. 

In  proving  theorems  involving  the  equivalence  connective,  it  is  awkward  to  remove  all  the 
quantifiers  before  attempting  the  proof.  The  system  therefore  deals  with  partiallxj  skolemized 
sentences,  in  which  some  of  the  quantifiers  may  be  left  in  place.  A  rule  is  provided  for  removing 
individual  quantifiers  when  required  alter  the  proof  is  under  way. 

The  system  is  also  nonclausal ;  i.c.,  the  theorem  docs  not  need  to  be  put  into  conjunctive 
normal  form.  The  equivalence,  implication,  and  other  connectives  may  be  left  intact. 
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INTRODUCTION 

One  of  the  earliest  techniques  for  program  synthesis,  the  automated  construction  of  a  computer 
program,  has  been  the  deductive  approach,  in  which  the  program  is  developed  by  proving  a  theorem 
corresponding  to  the  given  specification.  While  program  synthesis  does  not  typically  require  the 
proof  of  deep  mathematical  theorems,  it  docs  need  deductive  systems  specially  designed  to  handle 
constructs  commonly  occurring  in  specifications,  such  as  equality,  equivalence,  and  orderings. 

In  this  paper,  we  present  a  formal  system  with  facilities  for  dealing  with  the  equality  predicate 
(=),  the  logical  equivalence  connective  (=),  and  the  ordering  relations.  The  system  allows  us  to 
defer  skolemization,  the  removal  of  quantifiers,  when  it  is  inconvenient.  The  system  is  machine- 
oriented  and  intended  for  implementation  in  interactive  and  automatic  program  synthesis  systems. 


The  Deductive  Approach 


In  Manna  and  Waldinger  [1980]  we  presented  a  deductive  system  for  the  synthesis  of  applicative 
(side-cfTcct-frec)  programs.  The  paper  considered  specifications  of  form 

f(x)  *=  find  z  such  that  r[x,z) 
where  p(x). 

In  other  words,  for  an  arbitrary  input  x,  the  program  /  is  to  yield  an  output  z  satisfying  an 
output  condition  r(x,z),  provided  that  the  input  satisfies  the  input  condition  p[x).  The  theorem 
corresponding  to  the  specification  is 

(V*)[*y  p(x)  then  {3z)r{x,  z)). 


The  proof  is  restricted  to  be  sufficiently  constructive  so  that,  in  establishing  the  existence  of  an 
output  z  satisfying  the  required  relationship,  it  tells  us  how  to  compute  such  an  output. 

For  example,  to  specify  a  program  to  find  the  quotient  or  dividing  a  nonnegative  integer  i  by 
a  positive  integer  j,  we  write  - - - -  .  • - ■ — i - r - 


quot(i,j)  <=  find  z  such  that 

isintcgcr(z)  and 

isintcger(y)  and  ' 

(By)  t  =  z-j  +  y  and  £ 

0  <  y  and  y  <  j\  r 

* 

where  isinteger{i)  and  isintegcr(j)  and  i  £ 
t  >  0  and  j  >  0.  * 
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Ilere  the  predicate  isinte.qer(u )  is  a  type  predicate  expressing  that  u  is  an  integer, 
corresponding  to  this  specification  is  _ 
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theorem 


'if  iainteger(i)  and  isinteger(j)  and 
i  >  0  and  j  >  0 
then 

(Vi)(Vj)  ( iainteger[z }  and 

.  .1  isinteger(y)  and 

2  j  (3y)  i  =  z  •  j  +  y  and 

l  (.0  <  y  and  y  <  j  J  J 

(For  simplicity,  wc  shall  omit  the  type  predicates  when  the  context  makes  the  type  clear.) 


Design  Criteria  for  a  Formal  System 

A  formal  system  to  prove  such  theorems  must  have  the  following  capabilities: 

•  It  must  prove  theorems  with  both  universal  and  existential  quantifiers. 

•  It  must  be  able  to  handle  theories  with  mathematical  induction,  such  as  nonnega¬ 
tive  integers,  finite  sets,  lists,  and  trees. 

•  It  must  be  facile  in  handling  the  equality  predicate,  the  equivalence  connective, 
and  the  ordering  relations;  these  appear  frequently  in  specifications. 

In  addition,  we  want  the  proofs  to  appear  natural  to  people.  The  advantage  of  such  a  quality 
for  an  interactive  system  is  self-evident.  For  an  automatic  system,  our  hope  is  that  a  natural  form 
will  enable  us  to  exploit  the  heuristics  of  human  intuition.  On  the  other  hand,  we  also  want  the 
system  to  be  machine-oriented,  in  the  sense  that  there  should  be  only  a  small  number  of  legal  next 
steps  to  choose  from  at  each  stage. 

It  lias  long  been  observed  that  systems  requiring  the  theorem  to  be  converted  into  clause 
form  can  cause  it  to  explode  and  lose  intuitive  content.  Such  systems  are  particularly  awkward  for 
proving  theorems  by  mathematical  induction,  because,  if  the  induction  hypothesis  is  propositionally 
complex,  it  may  be  dispersed  over  several  clauses.  This  makes  it  difficult  to  recognize  when  we  have 
succeeded  in  reducing  the  theorem  to  an  instance  of  the  induction  hypothesis,  since  the  theorem 
and  the  induction  hypothesis  will  be  syntactically  dissimilar.  A  nonclausal  system,  which  does  not 
require  us  to  transform  the  theorem  to  clause  form,  is  thus  particularly  appropriate  for  program 
synthesis. 


Equivalence  and  Equality 

5.  i 

l  *-  * 

t  ,  f 

Our  earlier  deductive  system  (Manna  and  Waldinger  [1980))  and  that  of  Murray  (1982),  are 
both  noiiclatisal  and  are  suitable  candidates  for  program  synthesis.  However,  neither  system  has 
any  special  provisions  for  handling  equality,  equivalence,  or  orderings.  The  equality  predicate  is  of 
obvious  importance  in  expressing  the  specifications  of  programs.  Ordering  relations  not  only  occur 


frequently  in  specifications,  but  arc  also  used  in  the  “well-founded  induction  principle”  we  employ. 
The  equivalence  connective  is  of  special  importance  in  dealing  with  specifications  expressed  in  terms 
of  the  set  constructor  {x  :  p(x)}  (“the  set  of  all  x  such  that  p(x)”). 

For  example,  we  might  specify  a  program  to  find  the  Cartesian  product  of  two  finite  sets  a i 
and  «2  as  follows: 


cart(si,S2)  <=  find  z  such  that 


(ax,)(a*2) 


\y  =  (xux2)  and 
x\  €  si  and  x2  €  »2 


]} 


(Here  (xi,x2)  denotes  the  pair  of  elements  X\  and  x2.)  Unless  the  theorem  prover  deals  explicitly 
with  the  set  constructor,  we  arc  likely  to  rephrase  the  specification  with  the  circumlocution: 


cart(s2,s2 )  £= 


find 


z  such  that 

(Vy) jy  G  z 


(3*i)(3*2) 


y  =  (x i,x2)  and 
xi  &  si  and  x2  6  S2 


]} 


In  fact,  even  if  we  have  the  set  constructor  in  our  formal  language,  we  arc  likely  to  rephrase  it  in 
terms  of  equivalence  during  the  proof. 

Now  an  equivalence  has  appeared  in  our  specification  and  the  corresponding  theorem.  Of 
course,  we  can  remove  it  by  appealing  to  such  rewriting  transformations  as 

(if  J  then  $)  and 
(if  Q  then  I) 
or 

’(/  and  Q)  or 
((not?)  and  (not  §))' 

Hut  decomposing  the  connective  in  this  way  may  needlessly  multiply  the  length  of  the  proof  and 
destroy  its  intuitive  content.  Instead,  we  present  deduction  rules  for  dealing  with  equivalence 
explicitly  in  a  nonclausal  setting. 


r  =  9  => 


Skolemization 

Traditionally,  all  the  quantifiers  of  a  theorem  arc  removed  by  skolemization  before  the  proof 
begins.  However,  if  the  theorem  contains  an  explicit  equivalence,  wc  cannot  remove  any  quantifiers 
ill  its  scope  without  removing  the  equivalence  first,  as  wc  shall  sec.  Our  earlier  system  and  that  of 
Murray  deal  only  with  fully  skoloinizcd  sentences,  from  which  the  equivalences  have  been  removed. 
The  rules  we  present  here,  on  the  other  hand,  can  be  applied  to  partially  skolcmized  sentences, 
in  which  some  of  the  quantifiers  and  equivalences  may  remain  intact.  We  also  present  rules  for 
removing  quantifiers  one  at  a  time,  as  it  becomes  expedient,  at  any  point  in  the  theorem-proving 
process. 

Our  treatment  here  will  be  informal;  wc  shall  justify  only  some  of  the  rules,  and  in  an  intuitive 
way. 


THE  DEDUCTIVE  APPROACH 


Deductive  Tableaus 

The  basic  structure  of  this  approach  is  the  deductive  tableau,  which  consists  of  a  set  of  rows; 
each  row  contains  either  an  assertion  or  a  goal,  and  an  optional  associated  output  entry. 

Example: 

The  rows  below  arc  part  of  the  tableau  for  the  synthesis  of  the  integer  quotient  program;  in 
the  actual  synthesis,  these  rows  are  interspersed  with  others. 


assertions 

goals 

outputs 
quot(i,  j) 

I.  t  >  0  and  j  >  0 

9  n„if‘  =  z-j  +  y  and 
*  0  <  y  and  y  <  j 

z 

3.  t  <  j 

0 

i.  j  <  i 

quot(i  —  j ,  j)  +  1 

Here,  i  and  j  arc  constants,  and  y  and  z  arc  variables.  An  instance  of  a  row  is  obtained  by  replacing 
free  variables  of  a  row  with  terms;  constants  and  bound  variables  cannot  be  replaced.  | 

The  intuitive  meaning  of  the  tableau  is  that  if,  under  any  given  interpretation,  every  instance 
of  each  of  the  assertions  is  true,  then  some  instance  of  at  least  one  or  the  goals  is  true.  In  this 
case,  we  will  say  that  the  entire  tableau  is  valid.  Furthermore,  if  some  instance  of  one  of  the  goals 
is  true  or  some  instance  of  one  of  the  assertions  is  false,  then  the  corresponding  instance  of  the 
output  entry  will  satisfy  the  specification  for  the  desired  program. 

Thus,  the  goals  of  the  tableau  have  a  tacit  disjunction  between  them,  while,  the  assertions  have 
a  tacit  conjunction.  In  addition,  the  free  variables  of  the  goals  have  a  tacit  existential  quantification, 
while  the  free  variables  of  the  assertions  have  a  tacit  universal  quantification. 

For  example,  the  second  row  above  lias  a  free  variable  z,  which  is  also  the  output  entry.  This 
means  that  if,  for  a  given  interpretation,  there  is  some  value  of  z  for  which  goal  2  is  true,  then 
that  value  of  z  will  satisfy  the  specification  for  the  quotient  program. 

If  an  assertion  has  no  output  entry,  we  arc  not  concerned  with  the  output  in  the  case  in 
which  the  assertion  is  false.  For  example,  assertions  that  arc  axioms  will  have  no  output  entries. 
Typically,  all  the  goals  will  have  output  entries. 
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A  tableau  that  contains  as  a  goal  the  proposition  (rue,  or  as  an  assertion  the  proposition  false, 
will  always  be  valid. 

It  is  possible  to  use  tableaus  that  contain  more  than  one  output  column,  corresponding  to  the 
synthesis  of  systems  of  more  than  one  program,  but  we  shall  not  discuss  this  extension  here. 

Note  that  the  distinction  between  assertions  and  goals  is  artificial  and  does  not  increase  the 
logical  power  of  the  system.  In  fact,  if  we  delete  an  assertion  from  the  tableau  and  add  its  negation 
as  a  new  goal,  or  delete  a  goal  and  add  its  negation  as  a  new  assertion,  we  obtain  an  equivalent 
tableau;  this  is  known  as  the  duality  property.  The  distinction  between  assertions  and  goals  does 
make  proofs  easier  for  people  to  understand  and  may  have  strategic  import. 

The  free  variables  in  a  row  are  dummies;  they  may  be  systematically  replaced  by  new  variables 
without  changing  the  meaning  of  the  tableau.  For  simplicity,  we  assume  that  the  variables  are 
implicitly  standardized  apart,  so  that  the  variables  of  any  row  are  distinct  from  those  of  any  other 
row,  and  the  variable  bound  by  one  quantifier  is  distinct  both  from  that  bound  by  any  other 
quantifier  and  from  any  free  variable.  If,  in  an  example,  we  happen  to  write  a  tableau  in  which  this 
restriction  is  violated,  we  may  imagine  that  the  variables  are  distinguished  by  invisible  subscripts. 


How  to  Begin 

If  we  are  given  a  specification  of  form 

/(x)  *=  find  z  such  that  r(x,z) 
where  p(x), 

the  corresponding  theorem  is 

(Vx)[z/  p(x)  then  (3z)r(x,  z)\. 

We  construct  an  initial  tableau 


assertions 

goals 

outputs 

/(a) 

P(a) 

r(a,  z) 

z 

Here  a  is  a  constant,  obtained  by  removing  the  quantifier  (Vx)  through  skolemization,  and  z  is  a 
free  variable.  The  meaning  of  the  tableau  is  that  if,  under  any  interpretation,  p(a)  is  true,  then 
some  instance  of  r(a,z)  is  true,  and  the  corresponding  instance  of  z  will  satisfy  the  specification. 
The  output  entry  is  a  device  for  ensuring  that  the  proof  will  be  sufficiently  constructive  and  for 
extracting  a  program  from  the  proof. 
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Typically,  in  addition  to  the  input  condition  p(a),  the  initial  assertions  of  the  tableau  will 
include  axioms  for  the  theory  under  consideration  (c.g.,  integers,  finite  sets,  etc.)  and  the  underlying 
logic. 


The  Deductive  Process 

In  the  deductive  system  we  describe,  we  apply  deduction  rules  that  add  new  rows  to  the 
tableau  without  changing  its  meaning  -  i.c.,  so  that  an  equivalent  tableau  is  produced.  The  process 
terminates  if  we  develop  the  final  goal 


true 

t 

the  final  assertion 

false 

t 

where  t  is  a  term  consisting  entirely  of  symbols  from  the  target  programming  language.  Because  the 
deduction  rules  preserve  meaning,  obtaining  such  a  goal  or  assertion  will  imply  that  the  original 
tableau  is  valid.  We  are  also  assured  that  t  will  satisfy  the  program’s  specification.  The  final 
program  we  obtain  is 

/(a)  <=  t. 

The  restriction  on  the  symbols  of  t  will  ensure  that  the  proof  will  be  sufficiently  constructive 
to  enable  us  to  compute  the  output;  in  particular,  t  will  not  be  allowed  to  contain  quantifiers, 
untestable  predicates,  or  uncomputable  functions. 

We  assume  that  the  variables  of  the  new  rows  added  by  a  deduction  rule  are  implicitly 
standardized  apart  in  the  same  way  the  variables  of  the  original  tableau  are. 

At  each  stage,  there  may  be  several  deduction  rules  that  can  legally  be  applied,  not  all  of 
which  arc  helpful  in  reaching  a  final  program.  Also,  different  choices  of  deduction  rules  may  lead 
to  different  final  programs,  some  of  which  may  be  better  than  others.  In  this  paper,  we  largely 
disregard  the  strategic  aspect  of  making  an  opportune  choice  of  deduction  rules. 


•  1 
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DEDUCTION  RULES 


The  deduction  rules  are  divided  into  several  categories: 

•  The  splitting  rules  break  a  row  down  into  its  logical  components. 

•  The  skolemization  rules  enable  us  to  remove  quantifiers. 

•  The  transformation  rules  replace  subsentences  by  equivalent  sentences. 

•  The  resolution  rules  enable  us  to  perform  a  case  analysis  on  the  truth  of  a 
subscntcnce. 

•  The  substitution  rules  enable  us  to  use  equivalences,  equalities,  or  other  special 
relations  that  appear  in  the  tableau. 

•  The  matching  rules  enable  us  to  introduce  new  equivalences,  equalities,  or  other 
special  relations  into  a  tableau. 

•  The  mathematical-induction  rule  enables  us  to  introduce  an  induction  hypothesis. 


The  splitting  and  mathematical-induction  rules  are  basically  the  same  as  in  Manna  and  Wald- 
ingcr  [1980]  but  are  outlined  here  for  completeness.  The  transformation  and  resolution  rules  have 
been  generalized  to  allow  for  explicit  quantifiers.  The  skolemization,  substitution,  and  matching 
rules  are  new. 


We  first  describe  the  splitting  and  mathematical-induction  rules. 


The  Splitting  Rules 

The  splitting  rules  break  rows  down  into  their  logical  components. 


Rule  (and- split): 

The  and-split  rule  may  be  expressed  in  a  tableau  notation  as  follows: 


assertions 

goals 

outpu  ts 

7  and  Q 

t 

7 

t 

9 

t 

This  means  that  if  a  tableau  contains  an  assertion  of  form  7  and  we  may  add  7  and  Q  to  our 
tableau  as  two  separate  assertions.  The  output  entries  for  the  new  assertions  arc  inherited  from 
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the  original  assertion;  if  there  is  no  output  entry  in  the  original  assertion,  there  is  none  in  the  new 
assertion  either.  The  assertion  7  and  Q  need  not  be  the  last  row  in  the  tableau;  it  may  occur 
anywhere. 

In  general,  the  rows  above  the  double  line  in  a  rule  are  the  given  or  original  rows,  which  are 
required  to  be  present  in  the  tableau  before  the  rule  is  applied;  the  rows  below  the  double  line  are 
the  derived  or  new  rows,  which  are  added  to  the  tableau  as  a  result  of  applying  the  rule. 

The  original  assertion  is  not  deleted  from  the  tableau  when  the  rule  is  applied.  Although  this 
may  be  advisable  for  efficiency,  we  are  disregarding  strategic  considerations  here. 

The  or-split  rule  is  similar  to  the  and-split  rule  and  breaks  a  goal  of  form  7  or  $  down  into 
two  goals  7  and  Q.  The  if-split  rule  breaks  a  goal  of  form  if  7  then  Q  down  into  a  new  assertion 
7  and  a  new  goal  Q.  There  are  no  rules  for  breaking  down  an  assertion  of  form  7  or  Q  ,  an 
assertion  of  form  if  7  then  Q  ,  or  a  goal  of  form  7  and 

Mathematical  Induction 

We  present  here  only  the  simplest  case  of  the  induction  rule,  in  which  the  induction  hypothesis 
is  formed  directly  from  the  theorem  to  be  proved,  rather  than  from  a  subsequent  goal  or  a 
generalization. 

Rule  (mathematical  induction): 

Suppose  our  initial  tableau  is 


outputs 

/(°) 


In  other  words,  we  are  trying  to  construct  a  program  to  produce,  for  an  arbitrary  input  o,  an  output 
z  satisfying  the  output  condition  r(a,z),  provided  that  the  input  o  satisfies  the  input  condition 
p(a).  Then  we  may  assume  inductively  that  the  program  /  we  are  trying  to  construct  will  produce, 
for  an  arbitrary  input  u,  an  output  f[u)  satisfying  the  output  condition  r(u,f(u)),  provided  that 
u  satisfies  the  input  condition  p[u)  and  that  u  is  strictly  less  than  a  in  some  well-founded  ordering 
In  other  words,  we  may  add  to  our  tableau  as  a  new  assertion  the  induction  hypothesis 


if  u  -<w  o 
then  if  p{u) 

then  r(u,  f(u)) 


This  induction  hypothesis  states  that  the  program  will  work  properly  on  all  inputs  “smaller”  than 
the  arbitrary  input  under  consideration.  The  particular  well-founded  ordering  to  be  used  in 
the  proof  is  left  unspecified;  it  must  be  discovered  during  the  proof  process. 

Example : 

The  initial  tableau  for  the  quotient  program  is 


By  the  induction  rule,  we  arc  justified  in  adding  to  our  tableau,  as  a  new  assertion,  the  induction 
hypothesis 


if  (u,v)  -<w  (i,j) 

then  if  u  >  0  and  v  >  0 


then  = 

'  '[and  0  <  y  and  y  <  v 


This  assertion  contains  instances  of  the  term  quot(u,v),  where  quot  is  the  program  being 
constructed.  If  this  assertion  is  used  in  the  proof,  terms  of  the  form  quot(s,t)  can  appear  in  the 
output  column,  corresponding  to  recursive  calls  in  the  final  quot  program.  | 

This  is  the  simplest  case  of  the  induction  rule;  the  more  general  case,  not  presented  here,  allows 
us  to  form  an  induction  hypothesis  from  rows  other  than  the  initial  rows  of  the  'ablcau.  This  more 
general  induction  rule  enables  us  to  construct  auxiliary  subprograms. 

THE  SKOLEM1ZATION  RULES 

Before  we  can  introduce  the  skolcinization  rules,  we  must  introduce  the  notion  of  “polarity” 
and  the  associated  concept  of  “quantifier  force.”  Polarity  is  also  of  strategic  import  in  controlling 
the  other  rules.  Murray  [1982]  used  it  in  his  formulation  of  nonclausal  resolution  and  it  was  known 
to  logicians  earlier. 


Polarity 


A  subscntencc  of  a  given  sentence  is  said  to  be 


I 


•  Of  positive  polarity  in  the  sentence  if  it  is  within  the  scope  of  an  even  number  of 
(explicit  or  implicit)  not  connectives,  and. 

•  Of  negative  polarity  in  the  sentence  if  it  is  within  the  scope  of  an  odd  number  of 
(explicit  or  implicit)  not  connectives. 

In  determining  polarity,  a  subsentence  of  form  if  P  then  Q  is  regarded  as  an  abbreviation  for 
( not  P)  or  Q,  so  that  P  is  within  the  scope  of  one  more  implicit  not  connective  than  Q. 

A  sentence  of  form  P  =  Q  is  regarded  as  an  abbreviation  for 

(P  and  <2)  or 
{(not  P)  and  ( not  5)), 

in  which  the  second  occurrences  of  P  and  Q.  are  within  the  scope  of  one  more  not  connective  than 
the  first.  As  a  consequence,  P  and  <2  have  both  positive  and  negative  polarities  in  the  sentence.  A 
subsentence  is  said  to  be  of  strict  polarity  if  it  docs  not  have  both  polarities  in  the  sentence. 

Intuitively  speaking,  the  truth  of  a  sentence  is  directly  related  to  the  truth  of  its  positive 
subsentences,  and  the  falsity  of  its  negative  ones.  In  particular,  we  might  make  a  sentence  become 
true  (or  valid)  by  replacing  one  of  its  strictly  positive  subsentences  with  true  or  one  of  its  strictly 
negative  subsentences  with  false,  but  never  by  replacing  one  of  its  strictly  negative  subsentences 
with  true  or  one  of  its  strictly  positive  subsentences  with  false. 

Example : 

The  subsentences  of  the  following  sentence  are  annotated  according  to  their  polarities  in  the 
sentence: 

(if  p(x)~ 

then  ((3y)q(y)+)+)+. 

I 

We  can  extend  the  notion  of  polarity  to  apply  to  a  tableau  as  well  as  to  a  sentence.  We  regard 
each  goal  as  positive  ill  the  tableau,  llecause,  by  the  duality  principle,  an  assertion  7  is  equivalent 
to  a  goal  not  7,  each  assertion  is  within  the  scope  of  an  implicit  not  connective,  and  is  therefore 
negative  in  the  tableau. 

Example : 

The  subsentenccs  of  the  following  tableau  arc  annotated  according  to  their  polarities  in  the 
tableau: 


assertions 

goals 

outputs 

(if  p(x)+  y 

\then  ((3 y)q(y)~YJ 

((p(x)±  ~  fax)*  or  r(x)±)±)  'j 
\or  p(a)+  j 

I 

Note  that  the  subsentence  p(x)  is  negative  in  the  sentence 
if  p{x) 

then  (3 y)q(y) 

but  positive  in  the  tableau,  which  contains  this  sentence  as  an  assertion.  Note  also  that  every 
subsentence  of  an  equivalence  has  both  polarities  and  the  only  subsentences  of  both  polarities  are 
subsentcnc.es  of  equivalences.  If  we  wanted  to  include  the  connective  if  P  then  <2  else  Z  in  our 
language,  the  subsentences  of  P  would  also  have  both  polarities,  since  this  construct  is  regarded 
as  an  abbreviation  for 

(P  and  <2)  or 
((not  P)  and  £). 

Henceforth,  however,  we  shall  not  regard  this  connective  as  part  of  the  language. 


The  Force  of  Quantifiers 

By  the  well-known  duality  between  the  universal  and  existential  quantifiers,  the  “roles”  of 
the  quantifiers  arc  reversed  by  [jutting  them  within  the  scope  of  an  additional  negation  sign. 
Thus,  the  universal  quantifier  in  not  (Vx)p(x)  plays  the  same  role  as  the  existential  quantifier  in 
(3x)  [not  p(x)]. 

With  this  in  mind,  we.  define  the  Jorcc  of  a  quantifier  (Vx)  or  (3z)  in  a  subse.ntence  £  of  form 
(Vx)7  or  (3x)7  in  a  sentence  (or  tableau)  according  to  the  following  rules: 

•  The  quantifier  has  universal  force  if  it  is  a  universal  quantifier  and  £  is  of  positive 
polarity,  or  if  it  is  an  existential  quantifier  and  £  is  of  negative  polarity  in  the 
sentence  (or  tableau). 

•  The  quantifier  has  existential  force  if  it  is  an  existential  quantifier  and  £  is  of 
positive  polarity,  or  iT  it  is  a  universal  quantifier  and  £  is  of  negative  polarity  in 
the  sentence  (or  tableau). 


7TT 
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Because  a  subsentence  may  have  both  positive  and  negative  polarity,  a  quantifier  may  be  of 
both  positive  and  negative  force;  these  are  the  quantifiers  within  the  scope  of  an  equivalence.  A 
quantifier  that  does  not  have  both  forces  is  said  to  be  of  strict  force. 

Example : 

The  quantifiers  in  the  following  tableau  are  annotated  according  to  their  forces: 


assertions 


if  (3x)3p(x) 
then  (3y)vq(y) 


outputs 


Here,  the  quantifier  (3x)  has  existential  force  because  the  subsentence  (3 x)p(x)  is  positive  in  the 
tableau;  the  quantifier  (3y)  has  universal  force  because  the  subsentence  (3 y)q(y)  is  negative  in  the 
tableau.  All  the  quantifiers  are  of  strict  force  except  (3u).  | 

Removal  of  Quantifiers 

Rather  than  regard  quantifier  removal  as  a  separate  stage,  to  be  done  before  theorem  proving 
takes  place,  we  allow  skolcmization  to  occur  at  any  stage  or  the  theorem-proving  process.  In 
practice,  we  arc  likely  to  defer  removal  of  those  quantifiers  within  the  scope  of  an  equivalence, 
because  this  will  require  prior  removal  of  the  equivalence,  with  consequent  explosion  of  the  theorem. 

The  skolcmization  rules  permit  us  to  remove  any  quantifier  or  strict  force  from  a  tableau;  the 
variables  bound  by  the  quantifier  are  replaced  by  free  variables  ir  the  quantifier  is  of  existential 
force,  and  by  “skolcm”  constants  or  terms  if  the  quantifier  is  of  universal  force.  Quantifiers  of  both 
forces  cannot  be  removed.  (However,  if  we  first  remove  the  enclosing  equivalences,  a  quantifier  of 
both  forces  will  be  split  into  two  or  more  quantifiers  of  strict  force;  see  the  section  “Removal  of 
Equivale  nee  s .” ) 

Removal  of  Quantifiers  of  Universal  Force 

We  first  deal  with  the  removal  of  quantifiers  or  strict  universal  force. 

Rule  ( universal  elimination): 

Suppose  our  tableau  contains  an  assertion  (or  goal)  7  of  form 

7 :  TM ...*m 
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Here,  (,..z)vP  denotes  a  subsentence  of  7 ,  where  (...z)v  is  a  quantifier,  cither  (Vz)  or  (3z),  that  is 
of  strict  universal  force  (in  the  tableau). 

Assume  that  the  variables  £1,2:2,  ...,xm  are  the  only  free  variables  in  7  and  that  (...yi)3, 
( - •  •  t/2 ) 3 >  •  •  • ,  (...y«)3  are  the  only  quantifiers  in  7  of  existential  force  that  contain  the  subsentenc 
(...z)*P  within  their  scope.  Let  /  be  a  new  function  symbol,  i.e.,  one  that  occurs  nowhere  in  the 
tableau. 

Then  we  may  add  to  our  tableau  the  new  assertion  (or  goal) 

7' :  70(P*{z<-  f{x  1,  .  ..,zm,yi,  . . .  ,yn)})- 

In  other  words,  7'  is  formed  by  removing  the  quantifier  (...z)v  in  7  and  replacing  every  occurrence 
of  z  in  P  by  the  term  /( xt,  . . .  ,  2;m,y,,  . . .  ,y„).  We  shall  refer  to  a  term  added  in  this  way  as  a 
akolem  term,  and  to  /  as  a  akolem  function.  We  will  say  that  we  have  “replaced”  the  quantifier 
with  the  skolem  function. 

In  the  special  case  in  which  there  arc  no  free  variables  11,2:2,  ...,im  and  no  enclosing 
quantifiers  (...yi)3,  (...y2)3,  •  •  •  ,  (...yn)3,  we  let  a  be  a  new  constant;  then  we  may  add  to  the  tableau 
the  new  assertion  or  goal 

T  :  7o(P  +  {z^  a}). 

We  will  refer  to  a  constant  added  in  this  way  as  a  akolem  constant. 

Example : 

Suppose  our  tableau  contains  the  assertion 


assertions 

goals 

outputs 

7  ’■  r(x)  or 

(Vy)3[?(2;,y)  and.  (3z)vp(2;,y,  z)] 

Here,  x  is  the  only  free  variable  in  7  and  (Vy)3  is  the  only  quantifier  of  existential  force  that 
contains  the  quantifier  (3z)v  within  its  scope.  Therefore,  we  may  remove  the  quantifier  (3z)v  from 
the  assertion  by  replacing  every  occurrence  of  z  with  the  skolem  term  f(x,y),  adding  to  our  tableau 
the  new  assertion 


w 
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Removal  of  Quantifiers  of  Existential  Force 

The  forthcoming  existential  elimination  rule  allows  us  to  remove  quantifiers  of  strict  existential 
force.  However,  the  quantifier  to  be  removed  must  not  be  within  the  scope  of  any  quantifiers  of 
universal  force;  such  quantifiers  should  be  removed  by  prior  application  of  the  preceding  rule. 


Rule  (existential  elimination): 

Suppose  our  tableau  contains  an  assertion  or  goal  7  of  form 


7:  70  ((...z)3P) 


where  (... z )3  is  a  quantifier  of  strict  existential  force.  Assume  that  no  quantifiers  of  universal  force 
contain  the  subscntcncc  (...z)3P  within  their  scope.  Then  we  may  add  to  the  tableau  the  new 
assertion  or  goal 


r :  HP)- 


In  other  words,  we  may  remove  the  quantifier  (....z)3  so  that  every  occurrence  of  z  in  P  becomes  a 
free  variable. 


Example: 

Suppose  our  tableau  contains  the  goal 


assertions 

goals 

outputs 

7:  (3z,)3[p(zi)  and  {3zz)3q{z\,z2)\ 

Here  the  quantifier  (3z2)3  is  not  within  the  scope  of  any  quantifier  of  universal  force.  Therefore, 
we  may  remove  the  quantifier  (3-z2)3  by  adding  to  the  tableau  the  new  goal 


7'  :  (3zi)[p(zj)  and  g(zi,z2)] 


*  • 


We  could  also  have  used  the  rule  to  remove  the  quantifier  (3zi)  from  7.  | 
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TRANSFORMATION  RULES 

Before  we  introduce  the  transformation  rules,  it  is  necessary  to  extend  the  notion  of  unification 
to  sentences  with  quantifiers. 


Unification 

Unification  became  widely  known  through  its  use  in  the  original  resolution  principle  (Robinson 
[1965]),  in  which  it  was  applied  only  to  atomic  sentences.  The  extension  to  nonatomic  sentences 
with  quantifiers  is  straightforward. 

We  assume  that,  in  matching  subsentcnccs  of  sentences  with  quantifiers,  the  variables  that 
are  bound  in  the  surrounding  sentence  are  distinguishable  from  free  variables  by  some  invisible 
annotation.  Then: 

•  Logical  connectives  arc  treated  like  function  symbols.  Thus, 

if  p(x)  then  q(x,  f{x)) 
will  unify  with 

if  p(a)  then  q(y,z), 
yielding  a  most-general  unifier 

{x  *-  a,y  «-  a,z  «-  /(a)}. 

•  Bound  variables  arc  treated  like  constants.  Thus,  we  cannot  unify  the  subscntencc 
p[u)  of  the  sentence 

(3u)[p(u)  and  ^(y)] 

and  the  subsentcncc  p(z)  of  the  sentence 
(Vz)(j7  p(z)  then  r(u,z)]. 

However,  we  can  unify  cither  of  these  subscnteuccs  with  the  subscntencc  p(x)  of 
the  sentence 

p{x)  or  s(x), 

in  which  x  is  free,  yielding  the  most-general  unifiers  (x  «-  u}  and  {x  «—  z}, 
respectively. 

•  To  unify  two  sentences  of  form  (Vx)^  and  (Vx')P',  we  attempt  to  unify  P  and 
P'  +  {x'  *—  x},  the  result  of  replacing  all  occurrences  of  x'  in  P'  with  x,  treating  x 


as  a  constant.  If  we  are  successful,  obtaining  a  unifier  0,  our  result  is  {x  ♦—  x}<>0, 
the  composition  of  the  substitution  { x '  x}  and  0.  (Similarly  for  existential 
quantifiers.) 

Example: 

To  unify  (Vz)p(z,  a,  u)  and  (Vy)p(y,  v,  b),  where  u  and  v  are  free  variables,  we  first  unify  p(z,  a,  u) 
and  p(y,v,  b)  +  {y  «—  x},  that  is,  p(z,v,  6),  obtaining  a  unifier  0  —  {v  *-  a,  u  +-  b).  Our  resulting 
unifier  is  then  {y  *—  x}  O  0  —  {y  *—  x,  v  *—  a,  u  *—  6}.  | 


Statement  of  a  Transformation  Rule 

Suppose  that  any  sentence  of  form  P  is  equivalent  to  the  corresponding  sentence  of  form  Q. 
Then  a  transformation  rule 


allows  us  to  replace  a  subsentcncc  of  form  P  by  the  corresponding  equivalent  subsentence  of  form 
<2  in  any  assertion  or  goal,  yielding  a  new  assertion  or  goal,  respectively,  to  add  to  the  tableau. 

Before  we  present  the  precise  statement,  let  us  give  a  rough  schematic  description  of  the 
application  of  a  transformation  rule  to  an  assertion  in  the  ground  case,  where  there  arc  no  variables 
and  also  no  output  entries: 


assertions 


outpu  ts 


Similarly,  to  apply  the  rule  to  a  goal,  we  write 
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applied  to  the  goal 


assertions 

goals 

outputs 

not  if  p(x)  then  false  and 
not  q(x) 

yields  the  new  goal 


not  not  p(x)  and 
not  q(x) 


We  use  the  box  to  indicate  the  subexpression  to  which  the  rule  is  about  to  be  applied. 

Other  examples  of  transformation  rules  are  the  not-not  rule 

not  not  $  =>  5 

and  the  or- two  rule 

S  or  g  =>  Q. 

To  describe  the  application  of  these  rules  more  precisely,  we  regard  the  script  letters  Q,  M, 
. . . ,  that  appear  in  such  rules  as  free  variables  that  range  over  sentences,  and  we  attempt  to  unify 
the  left-hand  side  of  the  rule  with  subsentences  of  the  tableau. 

Rule  ( transformation ): 

The  application  of  a  transformation  rule 

P  =»  Q 

to  an  assertion  is  represented  in  tableau  notation  by 


assertions 

goals 

outputs 

7 

/ 

(7*0)«{P«0<-  Q«0} 

f«o 

Here  we  assume  that 


There  is  a  set  { P\ ,  . . . ,  Pk)  of  disjoint  subsentenccs  of  7  such  that  P,  P\,  . . . ,  Pk 
are  unifiabie,  with  most-general  unifier  0.  Thus  P  <0,  P\  *  0,  . . . ,  Pk  +  0  are  all 
identical  sentences. 


•  ?  +  0,  P  +  0,  Q  +  0,  and  f  <0  arc  the  results  of  applying  the  substitution  0  to  7,  P, 

Q  and  /,  respectively. 

•  ( J*0)*  {P  <0  <—  <2* 0 }  is  the  result  of  replacing  every  occurrence  of  P  <0  in  J <0 
with  <2*0. 

•  If  x  is  any  free  variable  in  7  that  occurs  within  the  scope  of  a  quantifier,  0  cannot 
instantiate  x  to  any  term  t  containing  a  bound  variable  of  7. 

( dependency  restriction) 

If  there  is  no  output  entry  /  in  the  original  row,  then  there  is  no  output  entry  in  the  new  row 
either. 

In  the  precise  version  of  the  rule,  we  consider  a  set  of  subsentenccs  or  7  because  these  reduce 
to  a  single  sentence  on  application  of  the  substitution  0. 

We  assume  that  the  variables  of  transformation  rules  arc  standardized  apart  in  the  same  way 
as  the  variables  of  the  tableau  itself.  Thus,  the  bound  and  free  variables  of  transformation  rules 
are  tacitly  renamed  so  that  they  are  distinct  both  from  one  another  and  from  the  variables  of  the 
tableau. 

The  application  of  a  transformation  rule  P  =>  Q  to  a  goal  is  similar.  In  tableau  notation,  we 
have 


assertions 

goals 

outputs 

7 

f 

(7  +  0)  +  {P+0*-  <2*0} 

f<0 

The  same  notation  and  the  same  restrictions  apply  as  when  the  rule  was  applied  to  an  assertion. 
It  is  also  possible  to  apply  transformation  rules  to  output  entries. 

We  first  illustrate  the  rule  with  a  straightforward  example;  then  we  present  a  counterexample 
to  show  that  the  dependency  restriction  is  necessary. 

Example: 

Suppose  our  tableau  contains  the  assertion 


assertions 


goals 


outputs 
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Then  we  can  apply  the  cmd-two  rule 
9  and  9  =>  $ 

to  the  subexpression  p{a,y)  and  p(i, /(i))  of  7.  The  unifier  0  is 
{x  <-a,  y  *-  /(a),  Q  <-  p(a,  /(a))} 
and  the  new  row  is 


p(a>/(°))  or  r  (a.  /(«)) 


ff(a>  /(«)) 


Note  that  the  substitution  0  is  applied  to  the  output  entry  as  well  as  to  the  assertion.  | 

The  Dependency  Restriction 

Let  us  consider  the  rationale  for  the  dependency  restriction. 

Example: 

To  see  why  the  restriction  is  required,  suppose  our  tableau  contains  the  assertion 


7  :  (3y)  p{x,y)  or  p{y,x) 


Then,  were  the  restriction  not  required,  we  could  apply  the  or-two  rule 
5  or  Q  =>  Q 
to  the  subsentence 

p{x,y)  or  p(y,  x) 

of  the  assertion.  The  unifier  0  would  be 
{ x<~y ,  9  *-  p(y,y)} 
and  the  (erroneous)  new  row  would  be 


(3  y)p{y,y) 


■A>J— hs.in 
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This  step  violates  the  dependency  restriction,  because  x  is  a  free  variable  in  the  assertion,  x 
occurs  within  the  scope  of  the  quantifier  (By),  and  0  instantiates  x  to  the  term  y,  which  contains 
a  bound  variable. 

The  new  assertion  is  not  a  valid  conclusion  to  draw  from  the  given  one.  For  example,  in  the 
interpretation  whose  domain  is  the  set  of  integers  {0, 1}  and  that  takes  p(x,y)  to  mean  x  <  y,  the 
given  assertion  means 

(3 y)[x  <  y  or  y  <  x] 

for  any  x,  which  is  true,  but  the  new  assertion  means 

(3j/)|y  <  y), 

which  is  false.  | 

In  fact,  if  we  had  skolemized  the  given  assertion,  we  would  have  obtained  an  assertion 


Kx>  /(*))  or  ?(/(*)>  *) 


The  or-two  rule  cannot  be  applied  to  this  assertion,  because  its  left-hand  side  Q  or  Q  fails  to 
unify  with  the  assertion;  the  subterms  x  and  f(x)  cannot  be  unified.  | 

When  the  application  of  a  transformation  rule  is  blocked  by  the  dependency  restriction,  it  is 
possible  that  the  rule  may  be  applicable  if  the  quantifier  of  the  olTcnding  bound  variable  is  first 
removed  by  skolemization. 

Example : 

Suppose  our  tableau  contains  the  goal 


(3 y){p(x,y)  or  p(y,x )) 


Then  if  we  momentarily  disregard  the  dependency  restriction,  we  can  apply  the  or-two  rule 

9  or  g  =»  g 


to  the  subsentence  p(x,y)  or  p{y,x).  The  unifier  0  is 

{x*-y,  9  p{y>y)} 


c 
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and  the  new  goal  is 


(3  y)p(y,  y) 


Although  this  is  a  valid  step,  which  preserves  the  meaning  of  the  tableau,  it  does  violate  the 
dependency  restriction:  the  free  variable  i,  which  is  within  the  scope  of  the  quantifier  (3y),  is 
instantiated  to  the  bound  variable  y.  Thus,  in  this  case,  the  restriction  is  unduly  prohibitive. 


Had  we  first  removed  the  quantifier  by  skolcmization,  however,  obtaining  the  goal 


p(i>  y)  or  p(y,  x) 

!  could  indeed  have  applied  the  or-two  rule  to  obtain  the  goal 

p{y,y) 

■ 


The  True-False  Rules 

We  assume  we  have  a  full  complement  of  true-false  rules  for  removing  occurrences  of  the 
propositions  true  and  false  from  sentences,  c.g.,  the  and-true  rules 

Q  and  true  =>  Q 

true  and  $  =» 

the  then- true  and  then- false  rules, 
if  Q  then  true  =*  true 
if  Q  then  false  not  Q, 
and  the  all-true  and  all-false  rules 
(Vi)  true  =>  true 
(Vi  )false  =>  false. 

These  rules  and  certain  of  the  other  transformation  rules  arc  so  fundamental  that  sometimes 
we  will  apply  them  automatically,  as  a  simplification  step,  without  mentioning  it. 


Removal  of  Equivalence 

i  • 

We  also  assume  we  have  the  equivalence  elimination  rules,  the  iff  cr  :ule 
I  $  =  H  =*  {$  and  M)  or 

, 

b  . ...  ■  . 

L- . . . . . . . . . 


* 


* 


((not  §)  and  (not  X)) 


and  the  iff- and  rule 

Q  s  X  =>  (if  5  then  X)  and 
(if  X  then  $). 

These  rules  will  enable  us  to  remove  equivalences  when  we  cannot  prove  the  theorem  otherwise. 
By  repeated  application  of  these  rules,  we  can  ensure  that  a  given  quantifier  has  strict  force,  and 
then  remove  it  by  skoleinization.  This  may  be  necessary  if  we  fail  to  apply,  say,  a  transformation 
rule  because  a  quantified  variable  has  caused  the  unification  to  fail  or  the  dependency  restriction 
to  be  violated. 


THE  RESOLUTION  RULE 


The  resolution  rule  performs  a  case  analysis  on  the  truth  of  a  subsentence  of  the  assertions 
or  goals  of  a  tableau.  At  the  same  time,  the  rule  instantiates  variables  and  accounts  for  the 
introduction  of  conditional  expressions  into  the  program  being  constructed. 


Statement  of  the  Resolution  Rule 


The  rule  can  be  applied  to  two  rows  of  the  tableau,  whether  these  rows  contain  assertions  or 
goals.  We  present  first  the  “GG-form”  of  the  rule,  which  applies  to  two  goals. 

The  schematic  description  of  the  ground  version  of  the  rule  is  as  follows. 


assertions 

goals 

outputs 

7(P) 

/ 

m 

9 

if  P 

7(true)  and 

then  f 

glfalse) 

else  g 

In  other  words,  we  seek  a  common  subsentence  P  oT  7  and  Q,  replace  ail  occurrences  of  P  in  7 
and  in  $  with  true  and  false,  respectively,  and  add  the  conjunction  of  the  resulting  sentences  as  a 
new  goal.  The  output  entry  is  a  conditional  expression,  with  P  as  its  test. 

The  rationale  for  this  rule  is  as  follows.  Consider  an  interpretation  under  which  the  derived 
goal  7{true)  and  g(false)  is  true;  we  seek  to  show  that  one  of  the  two  given  goals  7{P)  or  $(P) 
is  then  also  true  under  this  interpretation.  Recause  the  conjunction  is  true,  both  of  its  conjuncts 
7{true)  and  §(false)  are  true.  In  the  case  in  which  P  is  true  under  the  interpretation,  the  given 
goal  7(P )  is  true;  in  this  case,  /  is  a  suitable  output.  In  the  case  in  which  P  is  false,  the  given 
goal  §{P)  is  true;  in  this  case,  g  is  a  suitable  output.  In  either  case,  the  conditional  expression 
if  P  then  f  else  g  is  a  suitable  output. 

The  more  precise  description  of  the  rule  is  as  follows: 


Rule  ( resolution ): 


An  application  of  the  resolution  rule  is  written  in  tableau  notation  by 


•KT 


Jk 


g 


assertions 

goals 

outputs 

7 

f 

5 

Q 

(7  +  0)  +  {P  +  0  *—  true}  and 
(9  +  0)  +  {P  +  0  +-  false} 

if  P+0 

then  f  -*0 
else  g  +  0 

s 


Q 


> 


Here  wc  assume  that 

•  P  =  {_Pt)  is  a  set  of  subsentences  of  J  and  5  =  {£1,  .  . .  ,  Q.t)  is  a 

set  of  subscntcnccs  of  Q  that  arc  all  nnifiablc  with  most-general  unifier  0.  Thus 
P\  +  0,  . . . ,  P^+0,  <2t  +  0,  •  •  ■ ,  Qt  +  0  are  all  identical  sentences,  denoted  (by  abuse 
of  notation)  by  P  +  0. 

•  As  before,  [7 +  0)  +  {P  +  0  *—  true }  and  (Q  +0)-*{P  *—  false}  denote  the  results 

of  replacing  every  occurrence  of  P  +  0  in  7  ■+  0  and  $  +  0,  respectively,  with  the 
propositional  symbols  true  and  false,  respectively. 

•  If  x  is  any  free  variable  in  7  or  in  Q  that  occurs  within  the  scope  of  a  quantifier, 
then  0  cannot  instantiate  x  to  any  term  t  containing  a  bound  variable  of  7  or  or 

5- 

( dependency  restriction) 

•  No  variable  that  is  bound  in  7  or  in  Q  may  occur  free  in  the  new  row. 

(no- escape  restriction) 

In  the  precise  version  of  the  rule,  wo  consider  a  set  of  subsentences  of  7  (and  of  Q)  because 
these  sentences  reduce  to  a  single  sentence  on  application  or  the  substitution  0.  Recall  wc  have 
assumed  that  the  variables  of  our  tableau  are  standardized  apart,  so  that  the  variables  of  7  are 
distinct  from  those  of  Q. 

Murray’s  (1982)  polarity  strategy  for  resolution  allows  us  to  consider  only  those  applications  of 
the  rule  under  which  some  occurrence  of  P  -*0  in  7+0  is  positive  in  the  tableau  and  some  occurrence 
of  P  + 0  in  §+0  is  negative  in  the  tableau.  This  strategy  not  only  preserves  completeness,  but  also 
rarely  blocks  a  reasonable  step. 


Examples 

We  give  a  straightforward  example  of  the  application  of  the  rule  and  two  counterexamples 
illustrating  the  necessity  for  the  dependency  and  no-escape  restrictions. 
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Example: 


Suppose  our  tableau  contains  the  two  goals 


assertions 


goals 


i  < 


$  :  not  |  6  <  y 


outputs 


/(*) 


sr(y) 


Here  we  use  the  box  notation  to  indicate  the  subsentcnccs  that  arc  about  to  be  matched  in  applying 
the  rule. 

According  to  the  tableau,  if  we  can  find  x  such  that  x  <  a,  then  f(x)  is  a  suitable  output, 
and  if  we  can  find  y  such  that  not  (6  <  y),  then  g(y)  is  a  suitable  output.  Let  P  be  the  subset 
{x  <  a,  b  <  y}  of  subsentcnccs  of  7  and  Q.  Then  P  is  unifiablc  with  most-general  unifier  0  = 
{z  <—  6,  y  <—  a},  and  P  -*0  is  6  <  a.  Hy  the  resolution  rule,  we  may  infer  the  new  goal 


(b  <  a)  +  {(6  <  a)  <—  true}  and 
( not  (6  <  a))+{(b  <  a)  <—  false} 


if  b  <  a 
then  f[b) 
else  g(a) 


which  reduces  to 


true  and 
( not  false) 

if  b  <  a 
then  f(b) 
else  g(a) 

true 

if  b  <  a 
then  f(b) 
else  fif(a) 

under  the  not-false  rule 

not  false  =>  true 
and  the  and  true  rule 

P  and  true  =>  P. 

Note  that  this  application  of  the  resolution  rule  is  in  accordance  with  the  polarity  strategy 


Example: 


To  see  why  the  dependency  restriction  is  necessary,  assume  our  tableau  contains  the  two  goals 


assertions 


outputs 


If  the  dependency  restriction  were  not  imposed,  we  would  be  able  to  apply  the  resolution  rule  to 
match  p(z,  u)  against  p(z,  y),  with  most-general  unifier  0  =  {x  «—  z,  u  «—  y},  obtaining  (erroneously) 
the  new  row 


(Vz)true  and 
(Vy)(not  false ) 


after  true-false  transformation. 

This  step  violates  the  dependency  restriction,  because  the  free  variables  x  and  u,  which  occur 
within  the  scopes  of  quantifiers,  arc  instantiated  to  the  bound  variables  z  and  y,  respectively. 

The  preceding  deduction  is  not  sound,  because  we  can  imagine  interpretations  under  which  all 
instances  of  both  goals  are  false,  c.g.,  if  p  is  the  equality  predicate  and  the  domain  has  more  than 
one  element.  | 

Example: 

To  see  why  the  no-escape  restriction  is  necessary,  assume  our  tableau  contains  the  goals 


assertions 


outputs 


p(z)  +  and  q(z) 


( Vu)(not  1  p(u)  ]-) 


Then,  if  the  no-cscapc  condition  were  not  imposed,  we  would  be  able  (erroneously)  to  derive  the 
goal 


(true  and  q(u))  and 
(V«)(not  false) 


which  reduces  to 
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Here  the  bound  variable  u  of  the  second  goal  has  “escaped”  and  become  free,  giving  it  a  tacit 
existential  quantification  in  the  new  goal  it  did  not  have  in  the  original  goal. 

For  instance,  in  an  interpretation  over  the  integers  in  which  p[z)  and  q[z)  denote  the  conditions 
that  z  is  even  and  odd,  respectively,  both  given  goals  are  false:  our  first  goal  requires  that  we  find 
a  z  that  is  both  even  and  odd,  while  our  second  goal  requires  us  to  show  that  every  integer  is  not 
even.  The  derived  goal,  on  the  other  hand,  is  true:  it  requires  that  we  find  an  integer  u  that  is 
odd. 

Note  that,  if  the  tableau  contains  the  two  goals 


assertions 


(Vu)(not  |  p{u)  j~)  | 

then  we  could  apply  the  resolution  rule  to  match  p[z)  against  p(u),  taking  the  most-general  unifier 
0  =  {z  *—  u}  without  violating  either  restriction.  In  this  case,  the  new  goal  is 


true  and 
(Vu)(not  false ) 


which  reduces  to 


Dual  Forms  of  the  Resolution  Rule 


We  have  given  the  CG-form  of  the  resolution  rule,  which  applies  to  two  goals.  The  AA-,  AG-, 
and  GA-forms  of  the  rule,  which  apply  to  two  assertions,  an  assertion  and  a  goal,  and  a  goal  and 
an  assertion,  respectively,  may  be  derived  by  duality  from  the  GG-fonu.  The  schematic  version  of 
the  GA-form  of  the  rule  (ground  case)  is  as  follows: 


assertions 

goal  3 

outputs 

7(P) 

/ 

9(P) 

9 

if  P 

7(true)  and 

then  f 

not  Q(false) 

else  g 

The  precise  description  of  the  rule  and  its  restrictions  are  analogous  to  those  of  the  GG-form. 
The  AA-form  is  phrased  to  produce  a  new  assertion  rather  than  a  new  goal.  If  one  of  the  given 
rows,  say  7(P),  has  no  output  entry,  the  output  entry  for  the  new  row  is  simply  g  (or,  in  the 
precise  version,  g  ■*  0)  rather  than  a  conditional  expression.  If  neither  of  the  given  rows  has  an 
output  entry,  the  new  row  has  no  output  entry  either.  The  polarity  strategy  for  the  dual  forms  of 
the  resolution  rule  is  precisely  the  same  as  that  for  the  GG-form. 


Relaxing  the  Dependency  Restriction 

The  dependency  restriction  for  the  resolution  rule  can  be  relaxed  to  allow  the  rule  to  apply  in 
more  situations;  the  relaxed  restriction,  however,  is  more  complex  than  the  original. 

Recall  that  the  restriction  is 

If  x  is  any  free  variable  in  the  given  rows  7  or  §  that  occurs  within  the  scope 
of  a  quantifier,  then  the  unifier  0  cannot  instantiate  x  to  any  term  t  containing  a 
bound  variable  of  7  or  of  Q. 

Actually,  the  restriction  can  be  relaxed  by  applying  it  only  to  free  variables  that  occur  within 
the  scope  of  a  quantifier  whose  variable  actually  occurs  in  one  of  the  matched  sentences.  More 
precisely,  the  restriction  can  be  revised  as  follows: 

•  If  x  is  any  free  variable  in  7  or  in  $  that  occurs  within  the  scope  of  a  quantifier 
(■■■y)  whose  variable  y  occurs  in  at  least  one  of  the  matched  sentences  P\ ,  ...,/* 

or  Q\ . Qi,  then  0  cannot  instantiate  x  to  any  term  l  containing  a  bound 

variable  of  7  or  of 

(relaxed  dependency  restriction) 

Let  us  look  at  an  (admittedly  rare)  example  of  a  valid  application  of  the  resolution  rule  that 
violates  the  original  dependency  restriction  but  not  the  relaxed  dependency  restriction. 

Example: 

Suppose  our  tableau  contains  the  goal  and  assertion 


□ 


under  true-false  transformation. 

This  step  is  legitimate  —  it  preserves  the  meaning  of  the  tableau  —  but  it  violates  the  original 
dependency  restriction.  The  free  variable  x  in  the  goal  7 ,  which  occurs  within  the  scope  of  the 
quantifier  (Vy),  is  instantiated  by  0  to  the  bound  variable  z.  On  the  other  hand,  the  step  does  not 
violate  the  relaxed  dcpendencty  restriction,  because  the  variable  y  of  the  quantifier  (Vy)  does  not 
occur  in  the  matched  subseutence  p(x).  | 

Wo  did  not  present  the  relaxed  dependency  restriction  at  first  because  it  is  more  complex  than 
the  original  restriction  and  only  permits  a  few  additional  applications  of  the  resolution  rule. 


EQUALITY  AND  EQUIVALENCE  SUBSTITUTION  RULES 


The  equality  predicate  has  long  been  recognized  as  meriting  special  treatment.  The  use  of 
axioms  to  represent  the  properties  of  the  relation  lengthens  the  proof  and  dramatically  explodes 
the  search  space.  In  the  resolution  framework,  special  inference  rules  such  as  paramodulation  (Wos 
and  Robinson  [1969])  and  E-rcsolution  (Morris  [1969])  were  soon  brought  to  bear  in  an  attempt  to 
control  the  proliferation  of  clauses. 

The  equivalence  connective  has  not  been  recognized  as  such  a  trouble  spot,  but,  as  we  have 
indicated  in  the  introduction,  it  is  common  in  the  specification  of  programs.  Proofs  become  longer 
and  lose  their  intuitive  motivation  when  equivalence  is  paraphrased  in  terms  of  other  connectives. 
Furthermore,  the  techniques  that  apply  to  the  equality  predicate  can  be  easily  adapted  to  the 
equivalence  connective.  In  this  section,  we  present  nonclansal  versions  of  both  paramodulation  and 
E-resolution  and  apply  the  rules  to  both  equality  and  equivalence. 


Equality  Substitution  Rule 

The  “substitution  rules”  arc  our  nonclausal  counterpart  of  paramodulation.  The  equality 
substitution  ride  allows  us  to  use  an  equality  that  occurs  in  one  row  of  a  tableau  to  replace  a 
subterm  with  an  equal  term  in  another  (or  even  possibly  the  same)  row.  We  present  the  AA-form 
of  the  rule,  which  applies  between  two  assertions. 

The  rough  schematic  description  of  the  ground  version  of  the  rule  is  as  follows: 


assertions 

goals 

outputs 

7{S  =  T) 

/ 

9(S) 

9 

if  S  —  T 

7{false)  or 

then  g 

S(T) 

else  f 

Here,  wo  seek  ail  explicit  equality  5  =  T  in  7 ,  where  S  also  occurs  in  Q.  We  replace  every 
occurrence  of  S  =  T  in  7  with  false,  replace  some  occurrences  of  5  in  Q  with  T,  and  add  their 
disjunction  as  a  new  assertion.  The  output  entry  is  a  conditional  expression  with  S  —  T  as  its 
test.  Note  that,  in  an  abuse  of  notation,  we  do  not  necessarily  replace  every  occurrence  of  $  in  Q 
with  T. 

The  rationale  for  this  rule  is  as  follows.  Consider  an  interpretation  under  which  both  given 
assertions  are  true;  we  seek  to  show  that  the  derived  assertion  is  also  true  under  this  interpretation. 
Equivalently,  we  show  that  if  the  derived  assertion  is  false,  then  one  or  the  other  of  the  given 
assertions  is  also  false.  Because  the  disjunction  7{false)  or  $(T)  is  false,  each  of  its  disjuncts 
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7(false)  and  $(T)  is  false.  In  the  ease  in  which  S  =  T  is  false,  because  7(false)  is  false,  we  know 
the  given  assertion  7(S  =  T)  is  false;  in  this  case,  /  is  a  suitable  output  (i.c.,  it  satisfies  the 
specification  for  the  desired  program).  In  the  ease  in  which  S  =  T  is  true,  because  $(T)  is  false, 
we  know  the  given  assertion  §(S)  is  false;  in  this  case,  g  is  a  suitable  output.  In  either  ease,  the 
conditional  expression  if  S  =  T  theng  else  f  is  a  suitable  output. 

The  precise  description  of  the  rule  follows: 

Rule  (equality  substitution): 

Expressed  in  our  tableau  notation,  the  rule  is 


assertions 


outputs 


(7  +  0)  ■*  {($  +  0  =  T  +  0)  *-  false}  or 
(9+0)«{S  +  0  «-  T  +0} 


Here  we  assume  that 


if  S  +0  =  T  +  0 
then  g  +  0 
else  f  +0 


S  =  {so,  s [,  . .  .  s*}  and  T  =  {H,  •  •  •  ,**}  are  sets  of  terms  such  that 

■  7  contains  at  least  one  occurrence  of  each  equality  sj  =  t\,  ...,«*  =  £*; 

■  Q  contains  at  least  one  occurrence  of  so; 

■  0  is  a  most-general  unifier  of  S  and  of  T :  i.c.,  8o  +  0,8t  -*0 ,  . . .  ,s*  *0 

are  identical  terms,  denoted  by  S  and  ti+O,  ...  ,tk  +  0  arc  identical 
terms,  denoted  by  T  -*0]  and  0  is  one  of  the  most-general  substitutions 
that  make  these  expressions  identical. 

=  T  +0)  <—  false }  denotes  the  result  of  replacing  every  occurrence 
of  the  subsentence  S  •*  0  =  T  ■*  0  in  7  +  0  with  the  proposition  false. 

The  symbol  <  is  defined  so  that  ■*  0)  <  {S  •*  0  <—  T  -*0}  denotes  the  result  of 
replacing  one  or  more  (but  not  necessarily  all)  occurrences  of  $  -*0  in  §  +0  with 

T<0. 

If  x  is  any  variable  in  7  or  in  Q  that  occurs  within  the  scope  of  a  quantifier,  then 
0  cannot  instantiate  x  to  any  term  t  containing  a  bound  variable  of  7  or  of  Q. 

(dependency  restriction) 

No  variable  that  is  bound  in  7  or  in  Q  may  occur  free  in  the  new  row. 

(no- escape  restriction) 
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If  one  of  the  given  rows,  say  7,  has  no  output  entry,  the  output  entry  for  the  new  row  is  simply 
g-*0  rather  than  a  conditional  expression,  as  in  the  resolution  rule.  Again,  if  neither  of  the  given 
rows  has  an  output  entry,  the  new  row  has  no  output  entry  either. 

The  dependency  restriction  for  this  rule  can  be  relaxed  in  the  same  way  as  for  the  resolution 
rule. 

According  to  the  polarity  strategy,  we  may  assume  that  one  occurrence  of  one  of  the  equalities 
Si  —  ti  in  7  is  negative  in  the  tableau.  We  may  also  require  that  some  element  of  S  not  be  a 
variable. 

This  rule  degenerates  to  paramodulation  in  the  clausal,  quantifier- free  case.  The  completeness 
results  of  Brand  (1975)  apply  to  this  rule  if  the  skolcmization,  splitting,  and  transformation  rules 
are  included  in  the  system,  so  that  we  can  reduce  our  theorem  to  clause  form.  We  assume  the 
identity  axiom  x  =  x  is  included  among  the  assertions. 

The  motivation  for  the  dependency  and  the  no-escape  restrictions  of  the  equality  substitution 
rule  is  the  same  as  for  the  resolution  rule. 

Example: 

Assume  our  tableau  contains  the  two  assertions 


We  again  use  the  box  notation  to  indicate  the  expressions  to  be  matched. 


Equivalence  Substitution  Rule 


This  rule  is  precisely  analogous  to  the  equality  substitution  rule,  with  equivalence  playing  the 
role  of  equality. 


The  rough  schematic  description  of  the  ground  version  of  the  rule  is  as  follows: 


assertions 

goals 

outputs 

III 

to 

K 

/ 

9 

/(false)  or 

5{T) 

if  S  =  T 

then  g 
else  f 

The  more  precise  description  of  the  rule  is  as  follows: 


Rule  ( equivalence  substitution): 


assertions 

goals 

outputs 

7 

/ 

5 

9 

(7  +  0)  •*  {(P  ■*  0  =  <2  ■*  0)  <-  false}  or 
(9«0)<{Pm0*~  Q<0) 

if  P+0=s  Q+0 

then  g-*0 
else  f  -*0 

The  restrictions  for  the  rule  arc  the  same  as  for  the  equality  substitution  rule,  with  equivalence 
playing  the  role  of  equality  and  sentences  playing  the  role  or  terms. 

We  assume  that  we  have  among  our  assertions  the  reflexivity  axiom  for  equivalence  Q  =  Q, 
where  Q  is  a  metavariable  that  can  be  matched  against  sentences. 

To  take  full  advantage  of  our  ability  to  leave  quantifiers  intact,  we  include  among  our  assertions 
such  familiar  equivalences  from  predicate  logic  as  the  some-or  equivalence 

(3 x)[Qor)l\  =  \{3x)g  or  (3x)K] 

and  the  all  and  equivalence 

(Vx)[£  and  )/]  =  [(Vx)£  and  (Vx)W]. 

Such  equivalences  arc  redundant  in  the  presence  of  the  skolemization  rules,  but  may  shorten 
deductions  dramatically  by  allowing  us  to  avoid  skolemization  and  the  removal  of  equivalences. 

Example: 

Suppose  our  tableau  contains  a  goal 


assertions 


goals 


r(x)  ss  |  (32/)[p(z,y)  or  (Vz)<?(2/,  z)] 


outputs 


[3x)\Q  or  )i\ 


[(3x)9  or  (3x)M\ 


we  can  obtain  the  new  goal 


which  reduces  to 


false  or 

r(x)  =  [(3y)p(a:,  y)  or  (3y)(Vz)q(y,  z)] 


r(x)  =  \{3y)p(x,  y)  or  (3y)(Vz)q(y,  z)\ 


RESOLUTION  AND  SUBSTITUTION  WITH  MATCHING 

The  matching  rules  may  be  regarded  as  adding  a  new  equality  (or  equivalence)  to  a  goal  when, 
because  of  a  mismatch,  we  fail  to  apply  the  resolution  rule  or  a  substitution  rule.  We  present  first 
the  GG-resolution  rule  with  equality  matching. 


Resolution  With  Equality  Matching 

In  its  rough  schematic  form,  the  rule  is  as  follows: 


assertions 


goals 

outputs 

7(W)) 

/ 

SW)) 

* 

$  =  T  and 

if  *($) 

7{truc )  and 

then  f 

S(false) 

else  g 
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Here,  we  assume  that  $  and  T  arc  distinct  terms.  If  they  were  identical,  we  could  apply  the 
resolution  rule;  in  this  case,  we  add  the  conjunct  S  =  T  as  an  additional  condition  to  be  proved. 

The  rationale  for  the  rule  is  as  follows:  for  an  interpretation  under  which  the  derived  goal  is 
true,  its  conjunct  S  =  T  is  true,  and  P(S)  and  Z(T)  are  equivalent.  The  justification  for  this  rule 
is  then  the  same  as  for  the  basic  resolution  rule,  without  equality  matching.  Before  we  give  the 
precise  description  of  the  rule,  let  us  motivate  it  with  an  example. 

Example: 

Suppose  our  tableau  contains  the  two  goals 


assertions 

goals 

outputs 

7:  p(x,a,b)  +  and 

/(*) 

m 

o(y) 

In  attempting  to  unify  the  boxed  subsentcnccs  of  7  and  of  Q,  the  unification  algorithm  develops 
the  substitution 

0  —  {x  *-  c,  y  *-  a,  z  «—  o} 

and  then  fails  because  the  correponding  terms  b  and  y(a)  cannot  be  unified.  If  we  somehow  could 
establish  that  the  mismatched  terms  6  and  g(a)  were  equal,  we  could  apply  the  resolution  rule. 
This  motivates  the  precise  statement.  We  will  return  to  this  example  afterwards.  | 

The  precise  description  of  the  rule  is  as  follows: 

Rule  ( resolution  with  equality  matching ): 

In  our  tableau  notation,  the  rule  is  expressed  as  follows: 


assertions 

goals 

outputs 

7 

/ 

$ 

9 

S  +0  =  T  ■*  0  and 

(7 ■*())  + {P\  ■*()*—  true,  . . . ,  P^-* 0  <—  true }  and 
false,  false} 

if  R 

then  f  <0 
else  g  +  0 

•  Pit  ?2>  •  •  • ,  Pk  arc  subscntcnccs  of  7 . 

•  Qu  Q2,  •  •  ■  1  Qt  arc  subscntcnccs  of  Q. 

•  S  =  {ai,s2,  ...,sfc}  and  T  =  {t\,  ti}  . . . ,  tt)  arc  sets  of  subterms  of  Pit  . ..  ,Pk,  Q 1,  •  •  • , 
and  Qt. 

•  R  is  a  sentence  and  0  a  most-general  substitution  such  that 

■  0  unifies  S;  i.e.,  sj  0,  32  -*0,  . . . ,  and  »m-*0  are  identical  terms,  denoted 
by  S  -*0. 

■  0  unifies  T ;  again  T  -*0  denotes  the  unified  term. 

■  S  -*0  and  T  -*0  arc  distinct  terms. 

■  R  is  “nearly  identical”  to  each  of  the  sentences  Pi  ■< 0 ;  iri  other  words,  for 
each  i  between  1  and  k, 

[Pi  +  0)<{S+0  «-  T  +0}  is  R. 

That  is,  R  can  be  obtained  by  replacing  in  Pi  •*  0  zero,  one,  or  more 
occurrences  of  S  +0  with  T  -*0. 

■  R  is  “nearly  identical”  to  each  of  the  sentences  Qj*0;  in  other  words,  for 
each  j  between  1  and  t, 

[Qj +0)<{S +0  <- T +0}  is  R. 

•  If  x  is  any  variable  in  7  or  in  Q  that  occurs  within  the  scope  of  a  quantifier,  then 
0  cannot  instantiate  x  to  any  term  containing  a  bound  variable  of  7  or  of 

( dependency  restriction ) 

•  No  bound  variable  of  7  or  $  may  occur  free  in  the  new  row. 

(no- escape  restriction) 

The  discovery  of  the  sets  S  and  T  and  the  substitution  0  is  the  natural  by-product  of  an  attempt 
to  unify  the  subscntcnccs  A  and  Qj  if  the  unification  algorithm  returns  pairs  of  mismatched  terms 
when  it  nearly  succeeds.  The  rule  may  be  generalized  to  the  case  in  which  there  are  several  pairs 
of  mismatched  terms.  The  dependency  restriction  for  this  rule  may  be  relaxed  in  the  same  way  as 
for  the  resolution  rule. 

This  rule  degenerates  to  E-rcsolution  (Morris  [1969])  in  the  clausal  case. 

Example : 

In  our  discussion  prior  to  the  statement  of  the  rule,  we  considered  a  tableau  with  the  two  goals 


Recall  that  the  boxed  subsentences  of  7  and  Q  failed  to  unify  because  of  the  mismatched  terms  b 
and  0(a).  However,  we  can  still  apply  the  resolution  rule  with  equality  matching,  taking 


0  =  {x  <-  c,  y  <-  a,  z  <-  a}, 

S  =  {*}, 

T  =  {g[z),  g{y)}, 


and 


R  =  p(c,  a,  b), 

to  add  to  our  tableau  the  new  goal 


b  —  0(a)  and 

f  true  and  \ 

\j<rue  or  q{c)) )  and 

if  p(c,  0,  b) 

-  {'LtUe) 

then  f(c) 
else  0(a) 

which  reduces  under  transformation  to 


if  p{c,a,b) 

then  f{c ) 

b  =  j;(«)  and  r(a) 

else  0(a) 

I 

According  to  the  polarity  strategy,  we  may  restrict  application  of  the  rule  to  cases  in  which, 
for  some  i,  at  least  one  occurrence  of  Pi  +  0  in  7 -*0  is  positive,  and  at  least  one  occurrence  of  Qj  +  0 
in  Q  +  0  is  negative,  in  the  tableau. 


The  resolution  rule  with  equivalence  matching  is  identical  to  the  rule  with  equality  matching 
if  we  replace  the  equality  predicate  with  the  equivalence  connective,  and  references  to  terms  and 
subterms  with  sentences  and  subscntcnces,  respectively. 

Substitution  with  Equality  Matching 

We  can  add  a  new  equality  to  a  row  upon  failing  to  apply  the  equality  (or  equivalence) 
substitution  rule.  We  present  only  the  schematic  AA-form  of  the  equivalence  substitution  rule 
with  equality  matching. 


assertions 

goals 

outputs 

7(P(S)  =  Q) 

/ 

$(P(T)) 

9 

if  S  =  T 

if  P(S)  =  <2 

then  T(false)  or 

then  g 

m) 

else  f 

Here,  if  S  and  T  were  identical,  we  could  apply  the  equivalence  substitution  rule;  we  therefore  add 
the  condition  S  =  T  to  the  assertion  as  an  antecedent.  In  the  GG-  and  other  forms  of  the  rule, 
the  condition  S  =  T  is  added  to  the  goal  as  a  conjunct. 

A  similar  rule  allows  us  to  add  a  new  equivalence  (rather  than  an  equality)  to  a  row  upon 
failing  to  apply  the  equivalence  substitution  rule. 

Before  we  introduce  the  rules  for  handling  special  relations  other  than  equality,  let  us  give  an 
extensive  example  involving  equality  and  equivalence. 


41 


EQUALITY  AND  EQUIVALENCE:  A  COMPLETE  EXAMPLE 


In  this  section  we  present  an  example  that  employs  the  techniques  presented  so  far.  The 
example  is  akin  to  the  synthesis  of  the  Cartesian-product  program,  but  is  simplified  to  avoid 
constructing  auxiliary  subprograms,  which  requires  the  general  induction  rule,  not  the  special  case 
we  have  discussed  here. 


The  program  to  be  constructed  appends  the  integer  1  onto  every  clement  of  a  given  finite  set. 
Our  initial  specification  is 

cartone(s)  *=  find  z  such  that 

f  y  £  z  == 

(3a;)(2/  =  (l,z)  and  x  £  s) 

Here  (1,x)  is  the  pair  whose  first  element  is  1  and  whose  second  is  x.  Note  that  there  is  no  input 
condition;  the  type  condition  innet(a)  is  omitted. 

In  this  derivation,  we  will  sometimes  simplify  new  rows  automatically  with  true-false  and  other 
fundamental  transformation  rules,  without  presenting  the  intermediate  results. 

The  initial  tableau  for  this  specification  is 


assertions 

goals 

outputs 

cartone(s) 

1.  (V3/)v 

y  £  z  = 

(3 x)(y  =  (l,x)  and  x  £  s) 

z 

The  Induction  Hypothesis 

Hy  the  induction  rule,  we  may  consider  an  arbitrary  input  set  s  and  assume  that  the  program 
curtonc(u)  we.  are  attempting  to  construct  will  yield  an  output  that  satisfies  the  given  specification, 
provided  that  the  input  u  is  a  set  strictly  less  than  s  in  some  well-founded  ordering  -<w.  Thus,  we 
can  add  to  our  assertions  the  induction  hypothesis 


2.  if  u  H 

then  (Vy)  1 

y  <E  c.nrtoncfu)  = 

(3x)(i/  =  (1 ,  x)  and  x  £  «) 

Dropping  the  Quantifiers 

As  we  have  indicated  by  annotation,  the  quantifier  (Vy)  in  goal  I  is  of  universal  force  while 
the  same  quantifier  in  assertion  2  is  of  existential  force,  By  the  quantifier  elimination  rules,  we 


can  replace  the  quantifier  with  a  skolem  function  g  in  the  goal  and  with  a  free  variable  y  in  the 
assertion,  thereby  obtaining  a  new  goal  and  assertion 


3.  g(z)  E  z  = 

n~\  (  ti2)  =  f1**)  and  \ 

1  ’  l  nrei ) 

z 

4.  if  u  -<w  s 

y  €  cartone(u)  = 

(3z)(j/  =  (1,  z)  and  x  6  «) 

_ 

_ 

We  may  think  of  the  skolem  term  g(z)  in  goal  3  as  an  arbitrary  clement. 

Note  that  the  subexpression  z  6  s  has  both  polarities  because  it  is  within  the  scope  of  an 
equivalence. 

The  Base  Case 


We  assume  that  we  have  among  our  assertions  the  empty-set  membership  axiom 


[  Ml 

1 

1 

By  the  resolution  rule  with  equality  matching,  we  can  match  the  subscntencc  y  £  {  }  in  this 
assertion  against  the  subsentence  x  €  s  in  goal  3,  taking  0  to  be  {j/  +—  z}.  As  the  polarity 
annotations  indicate,  this  match  is  in  accordance  with  the  polarity  strategy.  The  new  row  we 
obtain  is 

i - 1 - 1 - 1 

5.  8  =  {  }  and 

not  not  true  and 
’ff(z)  Ez  = 

(3z)(g(,z)  =  (1,z)  and  false ) 

i _ i _ _ _ i _  ■ 


which  reduces  (under  true-false  transformation)  to 


6.  a  =  {  }  and 

not  g(z)  £  z  * 

z 

Applying  the  GA-resolution  rule  between  goal  6  and  the  empty-set  membership  axiom 
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we  obtain  the  goal  (after  transformation) 


7.  s={} 


Note  that  in  this  step  we  have  instantiated  the  output  variable  z,  obtaining  a  ground  term  in  the 
output  column.  This  row  means  that,  in  the  case  in  which  the  input  a  is  the  empty  set,  the  output 
can  also  be  taken  to  be  the  empty  set. 

Decomposition  of  the  Goal 

Let  us  turn  our  attention  back  to  the  earlier  goal  3,  which  was  formed  from  the  initial  goal  by 
removing  a  quantifier: 


g{z)  £  z  = 

(3x)(g(z)  =  (1,  x)  and  \  x  £  s 


We  assume  that  we  have  among  our  assertions  the  nonempty-set  membership  axiom: 


if  not  u  =  {  } 

then  (  1  V  €  y  I  = 

\  (y  =  elt(u)  or  y  £  rest(i 


Here  elt(u )  is  an  arbitrary  clement  of  the  nonempty  set  u,  and  rest(u)  is  the  set  of  all  the  other 
elements  of  u.  By  the  equality  substitution  rule,  taking  0  to  be  {]/  «—  x,u  *—  s},  we  can  use  this 
assertion  to  replace  x  £  s  in  the  goal  with 

x  =  elt(s)  or  x  £  rest(s) 
obtaining  (after  true-false  transformation) 


s  =  {  })  and 
z)  £  z  = 

,[!7(z)  =  0.*)  and 

2/ 1 

(z  =  elt(s)  or  x  £  res<(s)) 


Applying  the  equivalence  substitution  rule  twice  in  succession,  first  to  the  and-or  distributive 
equivalence 


(7  and  ($  or  X))  = 
(7  and  §)  or  ( 7  and  M) 
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\ 

! 

1 


and  this  goal,  and  then  for  the  some- or  equivalence 


I  DEM  or~*)  i 

(3z)$  or(3x)X 


and  the  resulting  goal,  we  obtain 


9.  (not  a  =  {  })  and 
fg{z)£z  == 

I  (3x)(<7(z)  =  (1,  x)  and  x  —  elt(s))  or 

z 

V  (3x)(g(x)  =  (1,  x)  and  x  6  resf(s)) 

) 

!, 


By  the  transformation  rule 

(3 y)(7  and  y  =  t)  =>  7 -  {y  «-  t} 

applied  to  the  goal,  taking  0  =  {y  <—  x,  7  *—  ( g(z )  =  (1,  z)),  t  <—  e/f(s)}  we  obtain 


10.  ( not  s  =  {  ' 

g(z)  E  z  = 

)  and 

g(z)  =  (l,eft(s))  or 

(3x)(g(z)  =  (1,  x)  and  x  G  rest(s)) 

Note  that  the  substitution  0  contains  a  replacement  for  the  bound  variable  y;  this  is  because  we 
arc  unifying  two  quantified  sentences. 


Using  the  Induction  Hypothesis 

Recall  we  have  assumed  as  our  induction  hypothesis  (after  skolcmization)  the  assertion  4, 


if  u  -<w  a 

<  y  6  cartonefu)  = 

tfl  CTL 

(3x)(y  =  (l,x)  and  x£n) 


By  the  equivalence  substitution  rule  we  may  use  the  equivalence  of  the  induction  hypothesis  (from 
right  to  left,  where  0  =  {y  g(z),u  *—  res<(.s)})  to  replace  the  subsentence 

(3x)(<7(x)  =  (l,x)  and  x  €  resf(sl) 
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of  the  goal  with 

g(z)  €  cartone{rest{s )) 


obtaining 


11. 


and 


V  [then  false  \) 

( not  8  =  {  })  and 

g(z)  =  (l,elt[s))  or 
g[z)  6  cartone(rest(s )) 


g{z)  E  z  s 


which  reduces  (under  true-false  transformation)  to 


12.  rest[a)  8  and 

[not  s  =  {  })  and 

g(z)  e  z  = 

_ 

g(z)  =  (\,elt[s))  or 
g[z)  G  cartone(rest[s)) 

z 

Introducing  the  Recursive  Call 


We  assume  that  we  have  among  our  assertions  the  member- insertion  axiom 


[x  G  y  o  u)  =  (x  =  y  or  x  G  tt)~| 


(Here  you  is  the  result  of  adding  the  clement  t/  to  the  set  u.)  Ry  the  equivalence  substitution  rule, 
we  may  use  the  axiom  (from  right  to  left)  to  replace  the  subsentcncc 

g(z)  =  (l,elt(s))  or 
g[z)  G  cartone(rcst[a )) 

with  the  sentence 

g[z)  G  (1,  clt(s))  o  cartone(rest(s)), 


obtaining 


13.  rest(s)  8  and 
(not  8  =  {  })  and 


g(z)  £  z  =  [  g(z)  €  (1,  e/<(s))  o  cartone(rest(s))  ] 


Finally,  by  GA-rcsolution,  matching  the  subsentence 
€  2  =  <7(2)  €  (1,  elt(s))  o  cartone(rest(s)) 
against  the  equivalence  reflexivity  axiom 


taking  z  to  be  {1  ,clt(s))  o  cartone(rest(s )),  we  obtain  the  goal 


rest(s)  -<w  s 


(1  ,elt(s))  o 
car  tone  (re  s  t(s)) 


Note  that  at  this  stage  wc  have  discovered  another  instantiation  for  the  output  variable  z.  The 
term,  which  appears  as  the  output  entry,  contains  a  recursive  call  cartonc(re8t(s)).  This  term  is 
a  suitable  output  in  the  case  that  s  is  a  nonempty  set,  provided  we  can  show  that  the  argument 
rest(s)  is  strictly  less  than  s  in  the  ordering  -<«;• 


Proof  of  Termination 

We  have  not  yet  found  a  well-founded  ordering  -<w  to  serve  as  a  basis  for  the  induction.  Wc 
expect  to  have  properties  of  many  standard  orderings  among  our  assertions.  Assume  that  wc  have 
the  subset-rest  axiom 


if  not  u  =  {  } 

then  re8t(u)  u 


where  -<au6,et  is  the  proper  subset  ordering  over  the  finite  sets.  Hy  G A- resolution,  we  can  match 
the  subsentence 

rest(s)  s 
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of  the  goal  against  the  subsentence 
rest{u )  -<a„ta<.e  u 

of  the  assertion,  to  obtain  the  goal 


(1,  e/<(s))  o 

15.  not 

«  =  {} 

cartone(rest(s)) 

Note  that  in  this  step  we  have  selected  the  well-founded  ordering  -<u  to  be  the  proper  subset 
ordering  ^su6set- 


The  Final  Program 

Recall  that  we  have  earlier  developed  goal  7, 


Uy  GG-resolution  between  this  goal  and  the  new  goal  15,  we  obtain  the  final  goal 


:/  s  =  {  } 

then  {  } 

else  (1  ,elt(s))o 

16.  true 

cartonc{rest[s )) 

This  step  accounts  for  the  introduction  of  a  conditional  expression  in  the  output  column.  The  final 
program  we  extract  from  the  proof  is 

cartone(s)  <=  if  s  =  {  } 
then  {  } 
else  {l,clt(s))o 

cartone(rcst(s)) 


Synthesis  of  the  Cartesian-Product  Program 

The  above  proof  is  similar  to  the  derivation  of  the  Cartesian  product  program  car<(s|,S2), 
which  computes  the  Cartesian  product  of  two  finite  sets  S|  and  S2.  The  specification  for  that 


program  is 


cart(s  1,82)  <=  find  z  such  that 

I} 

lv  '[ii  ^  *1  and  22  6  S2JJ 

The  final  program  we  obtain  is  the  system  of  two  programs 

car  <(31,82)  <=  tf  8i  =  {} 
then  {  } 

else  carttwo(ai,  82)  U 
cart(rest(si),  82), 

where 

car  ttw  0(81, 82)  *=  if  s  2  =  {} 
then  {  } 

else  {elt(si),  elt(s2))  o 

carHioo(si,  resf(s2)). 

Here,  U  is  the  set  union  function  and  carttwo[s lf  82)  is  an  auxiliary  subprogram  that  computes  the 
Cartesian  product  of  {elt(s  1)}  and  82-  The  auxiliary  program  appears  through  the  use  of  the  more 
general  induction  principle. 


1 
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POLARITY  WITH  RESPECT  TO  SPECIAL  RELATIONS 


Equality  is  only  one  relation  that  has  special  importance  in  program  synthesis.  The  inequalities 
<  and  <  over  the  integers  or  reals,  and  the  subset  relation  C  and  the  membership  relation  6  over 
the  sets,  are  examples  of  other  relations  that  merit  special  treatment.  In  this  section  we  extend 
the  rules  we  have  given  for  equality  to  apply  to  other  relations  in  particular  circumstances.  This 
extension  is  particularly  effective  for  transitive  (ordering)  relations.  But  first  we  must  extend  the 
notion  of  polarity,  which  we  have  introduced  for  subsentcnccs,  to  apply  to  terms  as  well,  relative 
to  a  particular  relation  -<. 


Relations  and  Monotonicity 

Let  -<  be  a  relation.  We  shall  say  that 

•  -<  is  irrejlexive  if 

not  x  x; 

•  -<  is  total  if 

I  -<,  y  or  x  =  y  or  y  -*<  z; 

•  -<  is  transitive  if 

if  (x  -<  y  and  y  z)  then  x  -<  z\ 

•  ~<  is  asymmetric  if 

not  (x  -<  y  and  y  -<  z); 
for  all  z,  y,  and  z. 

We  define  the  weak  relation  ^  associated  with  -<  by 
x  <  y  =  [x  <  y  or  x  =  y). 

We  shall  use  y  >-  z  and  y  cZ  x  synonymously  with  z  -<  y  and  z  ^  y,  respectively. 

Definition :  Let  /  and  p  be  a  function  and  predicate  of  arity  n  and  let  j  be  an  integer  between  1 
and  n  inclusive. 


1 


i 


*1 


i 


*1 


3 

1 

1 


With  respect  to  a  relation  we  shall  say  that 


•  /  is  ( weakly )  monotonically  increasing  in  its  jth  argument  provided  that 

if  x  <y 

then  f(z  i ,  •  •  • ,  zj—  1  >  x,  Zj+\ ,  .  • . ,  zn )  ^  f(z\ ,  . . , ,  Zj—i ,  y,  Zj+ 1 ,  .  . . ,  zn ) 

•  p  is  (weakly)  monotonically  increasing  in  its  jth  argument  provided  that 

if  x  -<  y 

then  if  p(z ,,  . . . ,  x,  zj+i,  . • . 

then  p(zu  . . .  •••)2n) 

•  /  is  (weakly)  monotonically  decreasing  in  its  jth  argument  provided  that 

if  y  <  x 

then  f(z i,  . .  .  ,Zj-y,x,Zj+u  . ..  ,zn)  < 
f(z li  •  •  •  1  zj—l>  y>  zj+  I  >  •••  I  zn) 

•  p  is  (weakly)  monotonically  decreasing  in  its  jth  argument  provided  that 

if  y  ■<  x 

then  if  p(z i ,  •  •  •  >  Zj  —  i ,  *,  Zj+  \ ,  . . . ,  zn) 

then  p(zu  . ..  ,Zj-i,y,Zj+i,  ...,zn) 

for  all  x,  y,  and  z\,  . . . ,  zn.  | 

Of  course,  some  functions  and  predicates  arc  neither  monotonically  increasing  nor  decreasing 
in  some  of  their  arguments  with  respect  to  a  given  relation  -<. 

Example: 

The  minus  function  (— )  is  monotonically  increasing  in  its  first  argument  with  respect  to  the 
<  relation;  i.c., 

if  x  <y 

then  x  —  z  <  y  —  z 

for  all  integers  x,  y,  and  z.  Furthermore,  the  minus  function  is  monotonically  decreasing  in  its 
second  argument,  i.e., 

if  y  <  x 

then  z  —  x  <  z  —  y 


for  all  integers  x,  y,  and  z.  | 


Example: 


The  member  predicate  £  is  monotonicaliy  increasing  in  its  second  argument  with  respect  to 
the  subset  relation  -< subset >  i.c., 

l/  z  subset  V 
then  if  z  £  x 
then  z  £  y 

for  all  sets  x  and  y  and  elements  z.  | 

Note  that  £  is  neither  monotonicaliy  increasing  nor  decreasing  in  its  first  argument  with 
respect  to  ^subset* 

Remark: 

If  -<  is  a  transitive  relation,  then  -<  is  monotonicaliy  increasing  in  its  second  argument  with 
respect  to  -<  itself;  i.c., 

if  x  -<  y 
then  if  z  -<  x 

then  z  -<  y. 

Also,  -<  is  monotonicaliy  decreasing  in  its  first  argument  with  respect  to  -<  itself;  i.e., 

if  y  <x 
then  if  x  -<  z 

then  y  -<  z.  | 


Polarity  of  Terms 

We  arc  now  ready  to  extend  the  notion  of  polarity  to  apply  to  terms,  with  respect  to  a  given 
relation  -<. 

Definition  (polarity):  'flic  polarity  of  a  subsciitencc  of  a  given  sentence  or  tableau,  as  defined  in 
an  earlier  section,  is  also  its  polarity  in  the  sentence  or  tableau  with  respect  to  -<.  For  terms, 
we  have  the  following  additional  rules: 

If  a  subsentence  p(si ,  . . . ,  Hj-i,  t,  9j+i,  . . . ,  sn)  occurs  in  a  sentence  or  tableau,  then  the 
polarity  of  t  (with  respect  to  -<)  is  the  same  as  the  polarity  of  the  subsentence  if  p  is 
monotonicaliy  increasing  in  its  j'tli  argument,  and  the  polarity  of  t  (with  respect  to  -<) 
is  opposite  to  the  polarity  of  the  subse.nte.ncc  if  p  is  monotonicaliy  decreasing  in  its  jth 
argument. 
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Similarly,  if  a  subterm  /(at,  . . . ,  ay_t,  t,  8j+it  . . . ,  s„)  occurs  in  a  sentence  or  tableau, 
then  the  polarity  of  t  (with  respect  to  -<)  is  the  same  as  the  polarity  of  the  subterm  if 
/  is  monotonically  increasing  in  its  /th  argument,  and  the  polarity  of  t  (with  respect  to 
-<)  is  opposite  to  the  polarity  of  the  subterm  if  /  is  monotonically  decreasing  in  its  jth 
argument. 

Note  that  some  terms  may  be  neither  positive  nor  negative  with  respect  to  a  given  relation 
-<,  and  that  some  terms  may  be  both  positive  and  negative.  We  shall  say  that  a  term  has  strict 
positive  or  negative  polarity  if  it  has  one  but  not  both  of  these  polarities. 

Example: 

In  the  tableau 


assertions 

goals 

outputs 

if  x  +  1  <  y 
then  x  <  y 

•  The  subscntcnce  x  -f  1  <  y  is  positive  in  the  tableau  with  respect  to  <  (by  the 
ordinary  rules  governing  polarity). 

•  Therefore,  the  term  x  +  1  is  negative  in  the  tableau  with  respect  to  <  (because 
the  <  predicate  is  monotonically  decreasing  in  its  first  argument  with  respect  to 
<)• 

•  Therefore,  the  first  occurrence  of  the  term  x  is  negative  in  the  tableau  with  respect 
to  <  (because  the  +  function  is  monotonically  increasing  in  its  first  argument). 

The  notion  of  polarity  with  respect  to  a  relation  -<  is  important  because,  roughly  speaking, 
a  sentence  gets  “truer”  as  its  strictly  positive  subterms  get  bigger  and  as  its  strictly  negative 
subterms  get  smaller.  This  observation  is  made  precise  in  the  following  proposition. 

Proposition  (polarity):  The  notion  of  polarity  with  respect  to  a  relation  -<  satisfies  the  following 

two  properties: 

if  8  t 
then  if  £ 

then  £  <  {s+  <—  (}  (positive  part) 

and 

if  8  y  t 
then  if  £ 

then  £  <  {s~  «-  t)  (negative  part) 


9 


9 


j 
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for  all  terms  s  and  t  and  sentences  £,  where  £  <  {s+  +—  £}  is  the  result  of  replacing  one  or 

more  strictly  positive  occurrences  of  s  in  £  with  t,  and  £  <{s-  +—  <}  is  the  result  of  replacing  0 

one  or  more  strictly  negative  occurrences  of  s  in  £  with  t. 

The  proof  of  the  proposition  is  by  induction  on  the  structure  of  the  sentence. 

Example:  '0 

In  the  tableau 


assertions 

goals 

outputs 

if  x  +  l  <  y 
then  x  <  y 

with  respect  to  the  relation  <: 

•  The  occurrence  of  x  +  1  is  strictly  negative  in  the  sentence  x  4-  1  <  y  (because 
<  is  monotonically  decreasing  in  its  first  argument);  therefore,  replacing  this 
occurrence  by  something  smaller  makes  this  sentence  “truer”  (by  the  negative 
part  of  the  proposition). 

•  The  occurrence  of  x  +  1  is  strictly  positive  in  the  sentence  if  x+  l  <  y  then  x  < 
y,  therefore,  replacing  this  occurrence  by  something  bigger  makes  this  sentence 
“truer”  (by  the  positive  part  of  the  proposition). 

•  The  occurrence  of  i  is  strictly  negative  in  the  sentence  x  +  I  <  y  (because  +  is 
monotonically  increasing  in  its  first  argument);  therefore,  replacing  this  occurrence 
by  something  smaller  makes  this  sentence  "truer”  (by  the  negative  part  of  the 
proposition).  | 
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RELATION  SUBSTITUTION  RULE 


Wo  are  now  ready  to  extend  the  equality  substitution  rule  to  an  arbitrary  relation  -<. 


Small-to-Big  Version 


The  rough  schematic  description  of  the  ground  version  of  the  rule  (AA-form)  is  as  follows: 


assertions 

goals 

outputs 

T(S  -<  T) 

/ 

S(s~) 

9 

if  S  <T 

then  g 

7 (false)  or  g(T) 

else  f 

Here  7(S  -<  T)  is  an  assertion  with  an  occurrence  of  the  subsentence  S  -<  T,  where  S  and  T  are 
terms;  $(S~)  is  an  assertion  with  an  occurrence  of  5  which  is  strictly  negative  in  the  tableau  with 
respect  to  -<  (or,  equivalently,  S  is  strictly  positive  in  £(S));  and  $(T)  is  the  result  of  replacing 
that  occurrence  of  S  in  Cj(S)  with  T. 

The  rationale  for  this  rule  is  as  follows.  Consider  an  interpretation  under  which  both  given 
assertions  are  true;  we  seek  to  show  that  the  derived  assertion  is  also  true  under  this  interpretation. 
Equivalently,  we  show  that  if  the  derived  assertion  is  false,  then  one  or  the  other  of  the  given 
assertions  is  also  false. 

Because  the  disjunction  7(false)  or  §(T)  is  false,  each  of  its  disjuncts  is  false.  In  the  case  in 
which  S  -<  T  is  false,  because  the  disjunct  T(false)  is  false,  we  know  the  given  assertion  7(S  -<  T) 
is  false;  in  this  case,  /  is  a  suitable  output,  hi  the  case  in  which  5  -<  T  is  true,  because  the 
disjunct  Q{T)  is  false,  and  because  S  is  strictly  positive  in  £(S),  we  know  (by  the  positive  part  of 
the  polarity  proposition)  the  goal  £(S)  is  false;  in  this  case,  g  is  a  suitable  output.  In  either  case, 
the  conditional  expression  if  S  -<  T  then  g  else  /  is  a  suitable  output. 

According  to  the  polarity  strategy,  wc  may  assume  that  some  occurrence  of  5  -<  T  in 
T(S  -<  T)  is  negative  in  the  tableau.  Wc  may  also  assume  that  5  is  not  a  free  variable. 

The  precise  version  of  the  rule  is  as  follows: 


assertions 

goals 

outputs 

7 

/ 

5 

9 

(7  +  0)  +  {(S+0  <T +0)^  false)  or 

\g  +  o)<{s-  +0 ^  T -*0} 

i if  S+0  <T+0 
then  g-*0 
else  f  -*0 

Here  we  assume  that 

•  S  =  {so,  si . Sfc}  and  T  =  {<|,  . . . ,  <*}  are  sets  of  terms  such  that 

■  7  contains  at  least  one  occurrence  of  each  inequality  Si  -<  t\,  •  • . ,  s*  -<  tk', 

■  Q  contains  at  least  one  occurrence  of  s0  that  is  strictly  negative  in  the 

tableau  with  respect  to  -<; 

■  0  is  a  most-general  unifier  of  S  and  of  T :  i.e.,  s0  <  0,  +  0,  . . . ,  sk  +  0  arc 

identical  terms,  denoted  by  S  *0;  and  t\  -*0t  . .  .  ,tk*0  are  identical  terms, 
denoted  by  T -«0;  and  0  is  one  of  the  most-general  substitutions  that  make 
these  expressions  identical. 

•  (7  -^^{(S  <0  -<  T  ■*  0 )  *—  false}  denotes  the  result  of  replacing  every  occurrence 

of  the  subsentence  S  •<  0  -<  T  <0  in  7  -*0  with  the  proposition  false. 

•  (5  *  0)  <  {$~  0  <—  T  -*0}  denotes  the  result  of  replacing  one  or  more  (but  not 

necessarily  all)  occurrences  of  5  *0  in  Q-*0  with  T  ■* 0  for  which  the  corresponding 
element  of  S  is  strictly  negative  in  the  tableau  with  respect  to  -<. 

•  If  x  is  any  variable  in  7  or  in  §  that  oecurs  within  the  scope  of  a  quantifier,  then  0 

cannot  instantiate  x  to  any  term  containing  a  bound  variable  of  7  or 

( dependency  restriction) 

•  No  variable  that  is  bound  in  7  or  in  §  may  occur  free  in  the  new  row. 

( no-escape  restriction) 

The  dependency  restriction  may  be  relaxed  as  usual.  According  to  the  polarity  strategy,  we 
may  also  assume  that  at  least  one  occurrence  of  one  of  the  inequalities  s,  -<  f,  in  7  is  negative  in 
the  tableau.  We  may  also  require  that  one  of  the  elements  of  S  not  be  a  free  variable. 

Example: 


Suppose  we  have  the  two  assertions 
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assertions 

goals 

outputs 

/(*) 

I3URI  i 

9{y) 

Note  that  the  occurrence  of  h(b,y)  is  negative  in  the  tableau  with  respect  to  <.  Applying  the 
relation  substitution  rule,  taking  0  =  {x  *—  b,y  *—  a},  we  can  add  Urn  new  assertion 


(if  p(b)  then  false)  or 

if  h(b,a)  <  c 
then  g(n) 

(if  q(a)  then  c  >  0) 

else  f(b) 

which  reduces  (under  transformation)  to 


if  h(b,a)  <  c 

(not  p(b))  or 

then  g(a) 

(if  q(a)  then  c  >  0) 

else  f(b) 

I 


Big-  to- Small  Version 

The  preceding  rule  is  the  “sniatl-to-big”  version;  it  replaces  instances  of  the  “small"  S  +0  by  a 
“big”  T  <0,  in  the  case  in  which  sq  is  negative  in  the  tableau;  there  is  also  a  “big-to-small”  version 
of  the  rule,  which  applies  in  the  case  in  which  Sq  is  strictly  positive  in  the  tableau  (and  therefore 
strictly  negative  in  the  assertion).  In  schematic  form,  the  ground  version  of  this  rule  is  as  follows: 


assertions 

goals 

outputs 

7(S  >  T) 

/ 

5(S+) 

9 

7 (false)  or  <J(T) 

if  S  >  T 

then  g 
else  f 

The  rationale  for  this  version  is  analogous  to  the  rationale  for  the  small- to- big  version,  and  relies 
on  the  negative  part  of  the  polarity  proposition. 

The  precise  version  of  the  rule  and  its  restrictions  are  analogous  to  the  previous  small-to-big 
version. 


TOTAL- RELATION  SUBSTITUTION  RULE 


The  above  rule  applies  to  any  relation  -<.  If  the  relation  -<  is  total,  there  is  an  additional  rule 
we  can  apply.  (Recall  that  a  relation  -<  is  total  if  x  -<  y  or  x  =  y  or  y  -<  x  ,  for  all  elements  x 
and  y.) 


Small-to-Big  Version 


Expressed  in  schematic  form,  the  ground  version  of  the  rule  is  as  follows: 


assertions 

goals 

outputs 

7[S  <  T) 

/ 

9(S+) 

9 

if  S  <T 

then  f 

7 (true)  or  Q(T) 

else  g 

Note  that  in  this  rule  we  require  that  the  occurrence  of  S  be  strictly  positive  in  the  tableau  (or, 
equivalently,  strictly  negative  in  £(S))  with  respect  to  -<. 

The  rationale  for  the  rule  is  as  follows.  Consider  an  interpretation  under  which  both  given 
assertions  are  true;  we  seek  to  show  that  the  derived  assertion  is  also  true  under  this  interpretation. 
Equivalently,  we  show  that  if  the  derived  assertion  is  false,  then  one  or  the  other  of  the  given 
assertions  is  false. 

Because  the  disjunction  7(true)  or  $[T)  is  false,  each  of  its  disjuncts  is  false.  In  the  case  in 
which  S  -<  T  is  true,  because  the  disjunct  7(true)  is  false,  we  know  the  given  assertion  7(S  -<  T) 
is  false;  in  this  case,  /  is  a  suitable  output.  In  the  case  in  which  S  <  T  is  false,  because  -<  is 
total,  we  know  that  S  =  T  or  T  -<  S. 

In  the  case  in  which  S  —  T ,  because  the  disjunct  $(T)  is  false,  we  know  the  given  assertion 
$($)  is  false;  in  this  case,  g  is  a  suitable  output.  In  the  ease  in  which  T  -<  S,  because  the  disjunct 
$(T)  is  false,  and  because  S  is  strictly  negative  in  £(S),  we  know  (by  the  negative  part  of  the 
polarity  proposition)  that  again  the  given  assertion  §(S)  is  false;  in  this  case  also,  g  is  a  suitable 
output. 

In  each  case,  the  conditional  expression  if  S  -<  T  then  f  else  g  is  a  suitable  output. 

According  to  the  polarity  strategy,  we  need  apply  the  rule,  only  when  some  occurrence  of  S  -< 
T  in  7{S  -<  T)  is  positive  in  the  tableau.  Thus,  we  never  need  to  apply  both  the  total  ordering 
substitution  rule  and  the  basic  ordering  substitution  rule  in  the.  same  situation.  We  may  also 
require  that  $  not  be  a  free  variable. 


We  omit  the  precise  description  for  the  total- relation  substitution  rule,  because  it  is  analogous 
to  the  basic  rule. 


Big-to- Small  Version 

The  preceding  version  is  “small-to-big”;  it  replaces  the  “small”  S  with  the  “big”  T  in  £(S). 
The  corresponding  “big-to-small”  version  of  the  rule,  which  replaces  a  “big”  S  with  a  “small”  T, 
is  as  follows  (in  schematic  form  for  the  ground  case): 


assertions 

goals 

outputs 

7{S  >  T) 

/ 

5(S~) 

9 

if  S  >~  T 

then  f 

/( true)  or  $(T) 

else  g 

Note  here  that  the  occurrence  of  S  in  £(S)  to  be  replaced  is  strictly  negative  in  the  tableau,  i.e., 
positive  in  §(S).  Furthermore,  according  to  the  polarity  strategy,  we  need  apply  the  rule  only  if 
some  occurrence  of  S  >-  T  in  7(S  >-  T)  is  positive  in  the  tableau.  We  may  also  require  that  S 
not  be  a  free  variable. 


Example: 

Suppose  our  tableau  contains  the  assertion 


assertions 

goals 

outputs 

if  p(x) 

then  not(  f(x,d)  <  o)T 

and  the  goal 


7(y)  and 

t{x>  y ) 

Note  that  the  <-relation  is  total  over  the  integers  and  the  boxed  occurrence  of  f(b,y)  in  the  goal 
is  strictly  positive  in  the  tableau  with  respect  to  <.  Applying  the  AG-form  of  the  total-relation 


substitution  rule  small-to-big,  taking  0  to  be 
{x  «-  t,  y  *-  d} 

we  can  replace  f(b,d)  with  a  in  the  goal  to  obtain  the  new  goal 


under  true-false  transformation. 

Note  that,  because  the  annotated  occurrence  of  f(x,  d)  <  a  in  the  assertion  is  positive,  this 
application  of  the  total-relation  substitution  rule  is  in  accordance  with  the  polarity  strategy. 


RESOLUTION  WITH  RELATION  MATCHING 


The  preceding  rules  adapt  the  equality  substitution  rule  to  arbitrary  relations;  in  this  section 
we  adapt  the  resolution  rule  with  equality  matching  to  use  an  arbitrary  relation,  instead  of  equality. 

As  usual,  we  first  give  the  schematic  form  of  the  ground  version  of  the  rule. 


S  <  T  and 
7(true)  and 
S  (false) 


Here  the  notation  £(S  +  ,T-)  means  that  S  is  a  strictly  positive  oeeurrenee  of  a  term,  and  T  is 
a  strictly  negative  occurrence  of  a  term,  not  in  the  tableau,  but  in  the  boxed  subsentenee  £(S,  T), 
with  respect  to  the  relation  -<.  Also,  Z(T ,  S)  is  the  result  of  replacing  S  with  T  and  T  with  S, 
simultaneously,  in  2(S,  T).  We  assume  that  S  and  T  arc  distinct  terms,  and  admit  the  special 
case  in  which  either  S  or  T  does  not  actually  occur  in  £(S,T). 

Note  that,  if  this  rule  applies,  resolution  with  equality  matching  also  applies.  When  both  rules 
apply,  however,  the  rule  with  relation  matching  is  preferable,  as  the  derived  goal  of  this  rule  is 
easier  to  establish  than  the  derived  goal  of  the  equality  rule.  The  goal  for  this  rule  has  a  weak 
inequality  S  ^  T,  in  place  of  the  full  equality  S  =  T  required  by  the  equality  rule. 

The  rationale  for  this  rule  is  as  follows.  Consider  an  interpretation  tinder  which  the  derived 
goal  is  true;  we  seek  to  show  that  one  or  the  other  of  the  two  given  goals  is  true. 

Because  the  conjunction  S  ^  T  and  /(true)  and  $(false)  is  true,  each  of  its  conjunets  is  true. 
In  the  case  in  which  £(S,  T)  is  false,  because  the  conjunct  Q(false)  is  true,  we  know  the  given  goal 
£(2(S,  T))  is  also  true;  in  this  ease,  g  is  a  suitable  output.  In  the  ease  in  which  £(S,  T)  is  true, 
because  the  conjunct  S  ^  T  is  true,  and  because  S  is  strictly  positive  and  T  strictly  negative 
in  Z(S,T),  we  know  (by  two  applications  of  the  polarity  proposition)  that  £(T,S)  is  also  true. 
Therefore,  because  the  conjunct  7(true)  is  true,  the  given  goal  7(Z(T,  S))  is  also  true;  in  this  ease, 
/  is  a  suitable  output.  In  cither  case,  the  conditional  expression  if  £(S,  T)  then  f  else  g  is  a 
suitable  output. 

According  to  the  polarity  strategy,  we  need  only  apply  either  case  of  the  rule  if  £(T,5)  is 
positive  in  the  tableau  and  £{S,T)  is  negative  in  the  tableau. 

The  precise  form  of  the  resolution  rule  with  relation  matching  is  as  follows. 

Rule  (resolution  with  relation  matching): 
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assertions 

goals 

outputs 

7 

/ 

5 

9 

S  -*0  ^  T  -+0  and 

(7  •*  0)  ■*  {P\  ■*  0  *-  true,  —  ,  Pk"*0  true}  and 
(5  +0)  +  {Q\  -0  false,  .  false} 

if  Z. 

then  f -*0 
else  g-*0 

Here  we  assume  that 

•  Pi,  . . . ,  Pk  are  subsentences  of  /. 

•  Qi,  •  .  • ,  Qe  are  subsentences  of 

•  S  =  {s  i ,  . . . ,  sm}  and  T  =  {t\,  . . . ,  tn}  are  sets  of  subterms  of  P\,  . . . ,  Pk,  Qi,  . . . , 

and  Qe. 

•  Z  is  a  sentence  and  0  a  most-general  substitution  such  that 

■  0  unifies  S;  i.e.,  .s i  + 0 ,  . . . ,  sm  •*  0  are  identical  terms,  denoted  by  S  -*0. 

■  0  unifies  T ;  again,  T  -+0  denotes  the  unified  term. 

■  S  -+0  and  T  -+0  are  distinct  terms. 

■  Z  is  “falser”  than  all  the  sentences  P{-*0;  in  other  words,  for  each  i  between 

1  and  k, 

{Px+0)<{{$  +0)-  -  T+0,(T*0)+  S+0}  \sZ. 

That  is,  Z  can  be  obtained  by  replacing  in  Pi+0  zero,  one,  or  more  strictly 
negative  occurrences  of  S  -*0  with  T  -*0,  and  zero,  one,  or  more  strictly 
positive  occurrences  of  T  -+0  with  S  -*0,  simultaneously. 

■  Z  is  “truer”  than  all  the  sentences  Qj-*0;  in  other  words,  for  each  j  between 

I  and  t, 

(Qj+0)  <  {($  «0)+  T  +0,(T  +0)~  «-  S  +  0}  is  Z. 

•  If  x  is  any  variable  in  7  or  in  $  that  occurs  within  the  scope  of  a  quantifier,  then  0 

cannot  instantiate  z  to  any  term  containing  a  bound  variable  of  7  or  of  (J. 

(dependency  restriction) 

•  No  bound  variable  of  7  or  of  $  may  occur  free  in  the  new  row. 

(no-escape  restriction) 
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The  dependency  restriction  may  be  relaxed  as  usual. 

The  discovery  of  the  sentence  Z,  the  sets  S  and  T,  and  the  substitution  0  is  the  by-product 
of  an  attempt  to  unify  the  subsciitcnccs  Pi  and  Qj  if  the  unification  algorithm  returns  pairs  of 
mismatched  terms  and  their  polarities  when  it  nearly  succeeds. 

Example : 

Suppose  our  tableau  contains  the  two  goals 


assertions 

goals 

outputs 

/(*) 

g(y) 

We  attempt  to  apply  GG-resolution,  matching  the  boxed  subscntenccs.  The  unification  is  nearly 
successful:  if  we  take 

0  to  be  {x  *-  a,  y  c}, 

the  only  failure  is  the  occurrence  of  the  constant  t  in  7,  which  will  not  unify  with  the  corresponding 
occurrences  of  s(i)  and  s(a). 

The  mismatched  terms,  however,  are  strictly  positive,  not  in  the  tableau,  but  in  the  boxed 
subscntenccs,  with  respect  to  the  subset  relation  -<su|,aet.  Therefore,  we  can  apply  the  resolution 
rule  with  -<su(,3et-matching,  taking 

P\  to  be  c  £  t, 

P2  to  be  c  6  s(z), 

Q  i  to  be  y  G  s(a), 

Z  to  be  c  €  s(a), 

S  to  be  {.*t(x),  «(a)}, 

T  to  be  {<}• 


Note  that 


(Pi  ■*0)5{<+  »(a)}  is  Z 

P2"*0  is  Z 

Ql+O  is  Z. 


Therefore,  we  can  add  to  our  tableau  the  new  goal 


s(a)  t  and 

if  c  £  s(a) 

( true  and  true)  and 

then  f[a) 

not  false 

else  g{c ) 

which  reduces  to 


if  c  £  s{a) 

then  f(a) 

5(a)  <  subset  t 

else  g(c) 

under  true-false  transformation. 

The  above  deduction  is  more  complex  than  a  person  would  usually  make  in  a  single  step.  Let 
us  show  that  the  conclusion  in  this  case  is  indeed  correct. 

Suppose  that  the  new  goal  s(a)  t  is  true;  we  would  like  to  show  that  one  of  the  given 

goals  is  true.  We  distinguish  between  two  cases. 

Case:  c  £  s(a)  is  true. 

Then,  because  s(a)  ^,ubaet  t,  we  know  c  £  t  is  also  true.  Therefore,  if  x  is  taken  to  be  a,  both 
conjuncts  of  the  given  goal  7  arc  true  and,  hence,  /(a)  is  a  suitable  output. 

Case:  c  £  s(a)  is  false. 

Then,  taking  y  to  be  c,  the  given  goal  Q  is  true,  and,  hence,  p(c)  is  a  suitable  output. 

In  either  case,  the  conditional  expression  i/cG  s(o)  then  f(a)  else  g(c)  is  a  suitable  output. 

I 


Example: 

Suppose  that  our  tableau  contains  the  goal 

goals 


assertions 


outputs 


if  rt(u) 

then  if  not  r2(w) 

iftJM  >’“1  °nd 

f[u)  6  u+ 


Wc  attempt  to  apply  GA-resolution  between  the  goal  and  assertion,  matching  the  boxed  subsen¬ 
tences.  The  unification  is  nearly  successful:  if  we  take 

0  to  be  {«  <—  rest(a),  z  <—  /(rest(s))}, 

the  only  failure  is  the  annotated  occurrence  of  the  variable  u  in  Q.  This  variable  is  instantiated 
by  C  to  be  rest(s),  and  therefore  will  not  unify  with  the  corresponding  occurrence  of  the  constant 
s  in  7. 

The  mismatched  terms,  however,  are  strictly  positive,  not  in  the  tableau,  but  in  the  boxed 
subscntenccs,  with  respect  to  the  subset  relation  t-  Therefore,  we  can  apply  the  GA- 

resolution  rule  with  -<au6aet  matching.  The  sentence  Z  can  be  taken  to  be 

p(/(re«<(s)),res<( s))  and. 
f{rest[s)')  £  rest(s) 


p(f(rest(s)),rest(s ))  and 
f(rest(s))  e  8- 

The  new  goal  wc  obtain  is 


which  reduces  to 


5  Q71  d 

( true  and  \  . 

U>  ) 

(if  n(rcj»*(»))  \ 

not  1  then  if  not  r2(rcst(s))  1 
\  then  false  ) 

f(rcat(s)) 

rest(s)  <avbatt  »  “nrf 
q(s)  and 
ri(rcst(s))  and 
not  r2{rc»t(a)) 

f(rcat(s)) 
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under  true-false  transformation. 

Note  that,  because  the  matched  subsentence  of  the  given  goal  is  positive,  and  the  matched 
subsentence  of  the  given  assertion  is  negative,  in  the  tableau,  the  application  of  the  rule  is  in 
accordance  with  the  polarity  strategy.  | 
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EXAMPLE:  THE  MAXIMUM  ELEMENT  OF  A  SET 

The  program  max[s)  to  be  constructed  finds  the  greatest  element  of  a  finite  set  s  of  integers. 
Our  initial  specification  is 

max(s)  4=  find  z  such  that 
26s  and 

(w y ){if  y  G  s  then  z  >  y\ 

where  not  s  =  {  }. 


The  initial  tableau  for  this  specification  is 


where  s  is  a  constant  and  z  is  a  free  variable. 


The  Induction  Hypothesis 


outputs 

max(s) 


By  the  induction  rule,  we  may  consider  an  arbitrary  input  set  s  and  assume  that  the  program 
max(u)  to  be  constructed  will  yield  an  output  that  satisfies  the  given  specification,  provided  that 
the  input  u  is  a  set  strictly  less  than  s  in  some  well-founded  ordering  -<w.  Thus,  we  can  add  to 
our  assertions  the  induction  hypothesis 


3.  if  u  ~<w  s 

then  if  not  u  —  {  } 

then  max(u)  £  u  and 

y 6 11 


then  rnax(u)  >  y 


Dropping  the  Quantifiers 


As  we  have  indicated  by  annotation,  the  quantifier  (Vy)  in  goal  2  is  of  universal  force  while  the 
same  quantifier  in  assertion  3  is  of  existential  force.  By  the  skolomization  rules,  we  can  replace  the 


67 


quantifier  with  a  skolem  function  g  in  the  goal  and  with  a  free  variable  y  in  the  assertion,  thereby 
obtaining  a  new  goal  and  assertion 


DSBBH 

z 

rcr  1 

5.  if  u  -<w  8 

then  if  not  u  =  {  } 

then  max(u)  £  u  and 
if  y  Eu 

then  max(u)  >  y 

We  may  think  of  the  skolem  term  g(z)  in  goal  4  as  an  arbitrary  element. 


Decomposing  the  Goal 

We  assume  we  have  among  our  assertions  the  nonempty-set  membership  axiom 


if  not  u  =  {  } 
then  (\  y  6  u  \ 


y  =  elt(u)  or  \ 
y  £  res<(u)  ) 


Here  elt{u )  is  an  arbitrary  element  of  the  nonempty  set  u,  while  rcst[u)  is  the  set  of  all  the  other 
elements  of  u. 

By  the  equivalence  substitution  rule,  we  can  use  this  assertion  to  replace  g[z )  £  s  in  goal  4 

with 

g(z)  =  elt(s)  or  g(z)  £  rest(s). 
obtaining  (after  transformation) 


6. 


not  8  =  {  } 


and 


z  £  8  and 

if  ( =  dt ^ 
\</(^)  €  rc8t{s)  ) 

.then  z  >  g(z) 


z 
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(In  an  alternative  derivation,  we  apply  the  same  axiom  to  the  subsentence  z  £  s  instead.) 

The  conjunct  not  a  =  {  }  of  the  goal  may  be  dropped  by  GA-rcsolution  against  the  input 
condition 


not  s  =  {  } 

(assertion  1),  obtaining 


7. 

z  €  a  and 

fff(2)  =  elt(s)  or\ 

Vff(2)  €  rest(s)  ) 
then  z  >  g(z) 

z 

The  other  instances  of  g(z)  in  the  goal  are  allowed  to  remain.  Wc  shall  use  this  goal  twice  in  the 
derivation,  once  to  give  us  the  base  cases  and  once  to  give  us  the  recursive  call. 


The  Base  Cases 


Wc  can  now  apply  the  GA-resoluuon  rule  between  goal  9  and  the  >-reflexivity  axiom 


X  >  X 

- 

taking  0  —  {x  +—  elt(s),  z  +—  elt(s)},  obtaining 


f  if  g(clt(s))  6  rest(s)  \ 
ythen  elt{s)  >  g(elt(s))  J 

elt(s) 

Note  that  we  have  found  one  instantiation  for  the  output  z. 
Assume  that  wc  have  a  member  axiom  for  the  clement  relation 


Wc  can  'lien  apply  GA-rcsolution  between  the  goal  and  the  axiom,  to  obtain  the  goal 


u.  [ 

1 

elt[s ) 

The  conjunct  not  s  =  {  }  can  again  be  dropped  by  GA-rcsolution  against  the  input  condition 
no<«  =  {},  yielding 


12.  if  res<(s) 

then  elt(s)  >  g(clt(s)) 

clt(a) 

In  other  words,  in  the  case  that  clt(n)  is  greater  than  or  equal  to  any  arbitrary  element  of  rcst(s), 
we  know  clt[s)  is  a  suitable  output.  Wc  shall  use  this  goal  twice  in  the  derivation,  to  provide  an 
output  expression  for  the  program's  two  base  cases. 


Introducing  the  Recursive  Call 


Recall  that  we  have  previously  developed  a  goal  9, 


z£s+  and 

+ 

( if  9{z)  e  res£(a)\ 

and 

\then  z  >  g(z)  J 

fif  9(2)  =  eR(s)\ 

_ 

\then  z  >  elt(s)J 

_ 

(We  have  commuted  the  conjuncts  in  preparation  for  the  next  step.) 

By  GA-resolution  with  matching  to  this  goal  and  the  (skolemized)  induction  hypothesis 

(assertion  5) 


if  u  ~<w  s 

then  if  not  u  —  {  } 


max{u )  G 

m+  and 

then 

(if  y  €  u 

\then  max(u)  >  y )  | 

taking 

0  =  {u  *-  rest(s),  z  <—  max{rcst(s )),  y  <—  g(max(rest(s)))} 
we  obtain  the  goal 


13.  rest(s)  ^subset  s  and 

( if  g(max(rcst(s)))=  clt(s)  \ 

I  -l  )  and 

\then  (max(rcs<(»))>|  clt(s)  ])  / 

rcst(a)  -<w  s  and 

l _ 

not  (rcs<(s)  =  {  }) 

max[rest{s )) 

This  step  was  possible  because  the  annotated  occurrence  of  u  in  the  induction  hypothesis  is  strictly 
positive,  not  in  the  tableau,  but  in  the  boxed  subsentence,  with  respect  to  the  proper-subset  relation 

su&act* 
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At  this  stage,  through  the  use  of  the  induction  hypothesis,  a  recursive  call  has  appeared  in  the 
output  column.  We  shall  use  the  induction  hypothesis  one  more  time. 


Introducing  the  Conditional  Expression 


Recall  that  we  have  previously  developed  a  goal  12, 


if  g(elt(s))  £  res<(s) 
then  |  elt(s)  >  g(elt(s )) 


The  annotated  occurrence  of  elt(s)  in  this  goal  is  strictly  positive  with  respect  to  the  Orclation. 
Therefore,  we  can  apply  the  total- relation  substitution  rule  to  goal  13  and  goal  12  [bearing  in 
mind  that  max(rest(s))>  elt(s)  is  synonymous  with  elt(s)  <  maz(rest(s))j  to  replace  elt(s)  with 
max(rest(s))  in  goal  12,  obtaining  the  new  goal 


14.  res£(s)  ;<suiaet  8  and 
rest(a)  s  and 
not  (rest(a)  =  {  })  and 

if  £?(e/<(s))£  reat(s) 
then  max(re8t(sfj>  g(elt[s)) 


if  max(rest(8))>  elt(s) 
then  mflx(res<(s)) 
else  e/l(s) 


Note  that  at  this  stage  a  conditional  expression  has  appeared  in  the  output  column. 

The  last  conjunct  of  the  goal  can  be  dropped  by  GA-rcsolution  against  the  induction  hypothesis 


if  u  -<w  8 

then  if  not  u  =  {  } 

then  max(u)  €  u  and 


if  2/  €  u 

then  max{u)  >  y 


this  tune  taking 


0  =  {u  «-  reflf(s),  y  *-  g(clt{s))}. 


We  obtain  the  new  goal 


15.  rcfl((«)  8  and 

rcfll(s)  s  and 
not  (rcsl(s)  =  {  }) 


if  ’max(rc8t(s))'>  elt(s) 
then  max(rc8t(s )) 
else  clt(8) 


This  completes  our  use  of  the  induction  hypothesis. 


Choice  of  Ordering 

Up  to  now  we  have  not  chosen  the  well-founded  ordering  on  which  our  induction  is  based. 
We  assume  that  among  our  assertions  we  have  the  axioms  for  many  orderings. 

We  apply  the  equivalence  substitution  rule  to  the  definition  of  the  weak  ordering  ^5Ufcaet, 


and  the  goal,  obtaining 


J6  rest(s)  -<auiaet  a 


or  rest(s)  =  s 


) 


and 


res<(s)  s  +  and 


not  (rest(s)  =  {  }) 


if  max(rest(s))>  elt(s) 
then  max(rest(8)) 
else  elt(s) 


By  GA-resolution  between  the  goal  and  the  subset  axiom 


if  not  u  —  {  } 
then 


rest(u)  -<,ube't  u 


we  reduce  the  goal  to 


17. 


not  ( rcst(8 )  =  {  })  and 
not  8  =  {  }  |+ 


if  max(rcst(i s))>  e/i(s) 
then  max(rest(s )) 
else  elt(s) 


With  this  step,  the  well-founded  ordering  has  hcen  chosen  to  be  the  proper-subset  ordering 
subset  over  the  finite  sets. 


Final  Stages 


The  conjunct  not  a  =  {  }  is  again  dropped  by  GA-resolution  between  the  goal  and  the  input 
condition  (goal  1)  not  a  =  {  }  obtaining 


18. 


not  ( 


res 


MM»- 


if  max(rest(s))>  elt(a) 
then  max[rest(s )) 
else  elt(s) 


In  other  words,  we  have  determined  that,  in  the  ease  in  which  rest(s)  is  not  the  empty  set,  a 
suitable  output  is  given  by  the  conditional  expression  in  the  output  entry.  Henceforth  (intuitively 
speaking),  we  deal  with  the  ease  in  which  rest(a)  is  the  empty  set. 

Recall  that  we  have  already  developed  a  goal  12, 


if  g(elt{s))  £  |  res«(s)  | 

then  elt[s)  >  gf(e/l(s)) 

elt(s) 

By  equality  substitution  between  goal  18  and  goal  12,  we  can  replace  resf(s)  with  {  }  in  goal  12, 
obtaining 


if  res*(s)  =  {  } 

then  elt(s) 

else  if  max(rest(s))>  clt(s) 

19.  if  (j([elt{s))  6  {  } 

then  max(rest(s)) 

then  elt(s)  >  g(elt(s)) 

else  elt(s) 

Note  that  at  this  stage  an  additional  layer  of  conditional  expression  has  been  wrapped  around  the 
output  entry. 


At  last,  by  AG-rcsolution  between  the  empty-set  membership  axiom 


not 

EBfl 

+ 

and  goal  19,  we  obtain  the  final  goal 


if  rcst(s)  =  {  } 
then  clt(s) 

else  if  max(rr»<(»))>  clt(s) 
then  max[rcst(s)) 

20.  true 

else  clt(s) 

Note  that  by  this  step  an  additional  layer  of  conditional  expression  has  been  wrapped  around  the 
output  entry. 


Because  we  have  obtained  the  goal  true  with  a  primitive  output  entry,  our  proof  is  complete. 
The  final  program  is  thus 

max(a)  <=  if  rest(a)  =  {  } 
then  elt(a) 

else  if  ma:r(resf(a))>  elt(a) 
then  max(reat(a )) 
else  elt(a). 


STRATEGY  AND  DISCUSSION 


In  this  paper  we  have  mainly  disregarded  the  question  of  strategic  guidance.  We  envision  an 
automatic  implementation  of  our  deductive  system  to  be  governed  by  the  following  crude  strategy: 

•  Remove  all  quantifiers  of  strict  force  by  skolemization. 

•  If  a  rule  fails  to  apply  because  of  the  mismatching  of  two  bound  variables  or  the 
violation  of  the  dependency  or  no-escape  restrictions,  replace  the  offending  bound 
variables  by  eliminating  their  quantifiers,  after  first  getting  rid  of  any  surrounding 
equivalences  by  the  equivalence-removal  transformation  rules. 

•  Match  larger  subexpressions  and  subterms  before  matching  smaller  ones. 

In  other  words,  we  attempt  to  complete  the  proof  while  leaving  the  quantifiers  and  equivalences 
intact,  but  we  remove  them  when  the  presence  of  bound  variables  is  suspected  to  interfere  with 
the  proof. 

The  derivations  included  in  this  paper  are  the  most  concise  formal  derivations  we  have  seen 
for  these  programs.  Kor  an  interactive  system  it  is  clearly  better  to  introduce  high-powered  rules 
such  as  ours,  so  that  deductions  will  be  shorter  and  closer  to  a  “natural,”  intuitive  argument. 
For  an  automatic  system,  however,  it  is  not  necessarily  an  improvement  to  introduce  such  rules, 
particularly  if  they  duplicate  the  cITeets  of  several  lower-level  rules  and  thus  lead  to  redundancy  in 
the  search  for  a  proof. 

However,  the  human  implementer  of  an  automatic  system  must  be  able  to  read  and  understand 
the  “trace,”  i.e.,  the  steps  in  the  search  for  a  proof.  When  the  system  is  led  astray,  the  synthesis 
system  designer  must  provide  heuristics  to  guide  the  search.  If  the  steps  of  the  trace  are  in  terms 
of  low-level  rules,  the  person  cannot  understand  it  well  enough  to  supply  this  heuristic  guidance. 
Our  hope  is  that  human-oriented  heuristics  will  be  easier  to  discover  if  proofs  are  expressed  in 
higher-level  steps.  Until  we  accumulate  experimental  evidence,  we  cannot  be  certain  how  efficient 
the  implementation  will  be. 
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/ if  g(max(rest(a)))=  elt(s)  \ 

1  -u  j  and 

\then  (moi(rest(s))>|  dt(s)  |)  J 

res<(s)  -<„  s  and 

1 

not  ( rest(s )  =  {  }) 

max(rest(s)) 

This  step  was  possible  because  the  annotated  occurrence  of  u  in  the  induction  hypothesis  is  strictly 
positive,  not  in  the  tableau,  but  in  the  boxed  subsentence,  with  respect  to  the  proper-subset  relation 

subatt  • 


this  time  taking 


0  =  {u  <-  res<(8),  y  <-  g(elt{a))}. 
Wc  obtain  the  now  goal 


15.  |  reat(a)  ^,ubact  s  1  and 

if  max(rest(a))>  elt(a) 

rcst(s)  -<w  a  and 

then  max(rest(a)) 

not  (rcs<(s)  =  {  }) 

else  elt(s) 

With  this  step,  the  well-founded  ordering  -<w  has  been  chosen  to  be  the  proper-subset  ordering 
-<  subset  over  the  finite  sets. 


V 


then  elt(s) 

else  if  max(rest(n))>  elt(s) 
then  max(rest(s)) 
else  elt(s) 


20.  true 


DTIC 


